Skip to main content

tv   Top Cyber Officials Testify on Threats Deterring Attacks  CSPAN  January 14, 2022 5:18pm-8:29pm EST

5:18 pm
prize of $5,000. entries must be received before january 20, 2022. for competition rules, tutorials or just have to get started, visit our website at student cam.org. c-span is your unfiltered view of government. we're funded by these television companies and more including comcast. >> you think this is just a community center? no, it's way more than that. students from low income families can get the tools they need to be ready for anything. >> comcast supports c-span as a public service along with these other television providers giving you a front row seat to democracy. top security officials testified on cyber threats and ransomware attacks before the
5:19 pm
house oversight and reform committee. they discuss future attacks and educating the public about online security.
5:20 pm
>> welcome, everyone. welcome to today's hearing. pursuant to house rules some members will appear in person and others will appear remotely via zoom. for members appearing remotely i know you're all familiar with zoom by now, but let me remind everyone of a few points. first the house rules require we see you, so please have your cameras on at all times. secondly, members appearing remotely who are not recognized should remain muted to minimize background noise. third, i'll recognize members verbally, but members retain the right to seek recognition verbally. in regular order members will be recognized in seniority for questions. lastly, if you want to be recognized outside regular order you may use the chat function to
5:21 pm
send a request. you may send an e-mail to the majority staff or you may unmute your mic to seek recognition. we'll begin the hearing in just a few moments when they tell me they ary to begin the livestream. let me say this is a bipartisan issue. everyone in the country is deeply concerned about cyber security, and i hope we will be able to work in ways to strengthen protections for american business and government. are we ready to go? okay. the meeting will come to order. without objection the chair is authorized to declare a recess of the committee at any time. i now recognize myself for an opening statement. this has been an unprecedented year for cyber attacks. the country is still reeling from last year's cyber attack against the company solar winds that was linked to a russian and infected numerous, several
5:22 pm
agencies. these attacks have been described as a wakeup call for america, it attacked all through the federal government and numerous private sectors also. just this weekend it was reported that the fbi, our premier law enforcement agency for investigating cyber crimes was itself the victim of a hack that allowed e-mails to be sent from fbi e-mail servers disguised as genuine fbi e-mails. in short we are at a tipping point as cyber attacks have become more common and potentially more damaging. several recent attacks have used a type of malicious software known as ransomware, which incrypts a victim's system and demands a payment in exchange for restoring access or refraining from publishing stolen data. this is especially dangerous
5:23 pm
because it can shutdown an entire system and can cause chaos in a community, an industry or even an entire country. and cyber criminals are now demanding and receiving more money than ever. the march cna financial and insurance company reportedly paid the largest known ransom payment ever and in may ransomware criminals attacked the colonial pipeline resulting in the shutdown of more than 5,500 miles of gasoline pipeline spanning from texas to new jersey and causing temporary gas shortages up and down the east coast. the cost to unlock the system was $4.4 million. also in may jbs foods, one of the largest meat suppliers in the united states, shutdown its plants when it suffered a ransom
5:24 pm
attack. the costs to unlock their system was $11 million. in june this committee launched an investigation out of concern these multi-million dollar ransom payments would equip cyber criminals with even more financial resources and encourage future attacks. today the committee issued a staff memo with some of the committee's preliminary findings. we found that these attacks often stem from minor security lapses, even at companies with seemingly robust cyber security a report also highlights the importance of clearly established federal points of contact for companies to avoid wasting precious time when attack is under way. finally, we found that companies face substantial pressure to pay these ransoms quickly making it harder to stop these attacks.
5:25 pm
and it's not just large companies that are targeted. ransomware also harms small businesses, hospitals, schools and local governments. since taking office the biden administration has been countering ransom, and they are really focusing on ransomware as a top priority. this included bringing together 30 nations for a white house summit last month to discuss strategies to combat the threat. it also means taking a tougher line on countries including russia that harbor cyber criminals. the biden administration has also dedicated significant law enforcement resources to take ransom networks off-line and bring criminals to justice. just last week the department of justice announced criminal charges against two foreign nationals connected to the prolific ransomware criminal
5:26 pm
group, revil. doj also recovered more than $6 million in ransom money pay. this is a good start, but we cannot afford to let up on our efforts. congress must ensure coordination of anti-ransomware efforts across the entire federal government and between the public and private sectors. last congress this committee held a hearing on the need to establish a position at the white house to lead the federal government's response to cyber threats. i was proud that president biden nominated chris ingles to serve as the first national cyber director this year and that he has testified before us today. i am also pleased that the infrastructure investment and jobs act, which president biden signed just yesterday included 21 million in funding for the office of the national cyber director. this law which house democrats
5:27 pm
passed over the objections of most house republicans will also provide $1 billion to help state and local governments shore up their cyber security. so we can prevent ransomware attacks, and $100 million to help critical or infrastructure respond to significant cyber incidents. and the build back better act will provide new resources to cisa to help enhance cyber security in both the public and private sectors. ransomware attacks are a grave national security challenge. today we will hear from our witnesses about the whole of government effort needed to disrupt ransomware networks and how we can help businesses, state and local governments and others to prevent, prepare for and respond to attacks. i now recognize the distinguished ranking member for an opening statement. >> thank you, madam chair.
5:28 pm
this year we've seen an uptick in major ransomware attacks that have the ability to wreak havoc upon american's every day lives. one of the largest commercial insurers in the u.s. was subject to a ransomware attack and paid $40 million to unlock its network. in may colonial pipeline, one of the largest pipelines in the eastern u.s. paid 4.4 million in crypto currency to retrieve its data following a ransomware attack. in june one of the country's largest meat packers paid $11 million. the fbi's official policy is not to advise companies whether or not to pay these ransoms. during our many briefings with these companies this is indeed the fbi's position they took during the negotiations with the ransomware attackers. even the fbi, the top law
5:29 pm
enforcement agency tasked with fighting cyber crime is not immune from cyber attacks. over the weekend hackers assessed the fbi's external e-mail system and issuing a fake warning as a cyber attack. hacker's ability to penetrate the systems could create caf strophic consequences and chaos. we need to hear from the fbi today on their efforts to disrupt and protect americans from these cyber attacks. i'm pleased we have one witness here today who is senate confirmed to discuss how we can disrupt cyber threats to protect americans from ransomware attacks. unfortunately, this is only the second senate confirmed witness this committee has had this entire year. that is far below what is normal for this committee. unfortunately, the oversight committee under democratic leadership refuses to call witnesses from the biden administration and hold them
5:30 pm
accountable for waste, fraud, abuse and mismanagement occurring on their watch. that message to president biden, no more. the american people oppose the biden administration's radical left-wing policies and are already seeking change. president biden and congressional democrats actions to spend trillions on a socialist agenda has backfired. president biden is now more unpopular with the public than any other president at this point in history. not only that but more than two thirds of people in this country under president biden's leadership is headed in the wrong direction. president biden's policies and decisions have created numerous crises that have impacted americans daily lives. gas is now 60% higher. inflation is at a 30-year high
5:31 pm
causing families to struggle with how to pay for meat, milk, eggs and other basic necessities. this year thanksgiving is set to be the most expensive thanksgiving ever. there's chaos at our ports with ships lining up with nowhere to deliver the goods. and certain networks are criticizing truck drivers, the essential workers who have been shipping goods throughout the pandemic. a record number of illegal immigrants were apprehended at our southern border this year and the surge continues because of this administration's pro-illegal amnesty agenda. this not to mention the drugs flowing across the border. the biden administration has advised to go after parents they deem as terrorists. at the same time the biden administration turned a blind eye to real terrorists in afghanistan who seek to harm women, children and u.s. troops. the biden administration's disastrous withdrawal from
5:32 pm
afghanistan has left a national security and humanitarian crisis in its wake. and sadly, this committee is ignoring it all. committee republicans have written to the chairwoman over 20 times requesting hearings, investigations and briefings on many of these topics and more. these issues are core to our committee rooting out waste, management and fraud we are the people's house. we must be responsive to the needs and demands of american citizens, but this committee under democrat leadership refuses to do its job. it's no wonder this committee has received an "f" grade for how it has conducted oversight from a non-profit organization. it's pastime for this committee to get back to its mission and conduct oversight on the many issues facing americans today. the american people demand it, and they deserve nothing less. madam chair, i yield back. >> the gentleman yields back,
5:33 pm
but before i recognize mr. conley for opening remarks, i'd like to take a few moments to address some of his concerns. the biden administration has created over 5.9 million new jobs in the first nine months of president biden's administration. this is a record for any new president. we created 531 new jobs just last month. and with the passage of the infrastructure investment and jobs act, which the president signed into law, a bipartisan bill, it is going to create even more jobs and help grow the economy. our unemployment is under 4.6%. and if the republicans could see some of the very good things that the biden administration is doing instead of just spending their time attacking him, we are working this week on the build back better act which would further strengthen our economy by making historic investments
5:34 pm
in our infrastructure and people. we did respond to your request for a classified briefing on afghanistan. we have government officials before you today, and with that i yield to mr. conley. >> i thank the distinguished chair for holding this hearing, and let me join her in regretting the fact that the ranking member has chosen to use this hearing for propaganda rather than -- and in that examination of ransomware and its impact on the economy and u.s. businesses and u.s. governments. i find the words hutspa is appropriate at this moment given the fact our republican friends for four long years resisted any soev sight over the trump years including serious legal issues from security clearances to the trampling of democratic norms --
5:35 pm
>> would the gentleman yield to a question? >> if the chair will allow me extra time to do so. i thank the chair. yes, sir? >> would the gentleman in his criticism of our criticism of not doing enough oversight, do you generally believe this committee has provided any oversight? >> re-claiming my time let's get back to the purpose of the hearing. let's not engage with their propaganda. let's get back. we have three important witnesses. let's hear what they have to say. >> again, madam chair, with all due respect this is the oversight committee. >> the gentleman is not in order. the gentleman has the time and he's absolutely right we should focus on the purpose of this hearing. >> i thank the chair. the ramifications of ransomware permiate our economy, public health infrastructure and national security.
5:36 pm
in recent years ransomware has grown into a multibillion dollar criminal industry. in 2020 more than 2,300 u.s.-based entities were affected by ransomware attacks inflicting hundreds of millions of dollars in economic damage. at least 113 of these ransomware attacks targeted government entities costing an estimated $915 million. one of those attacks happened in my own congressional district. in september of last year hackers launched into the nation's tenth largest school district in fairfax county and the computer system was attacked by ransomware after obtaining sensitive personal information about the students and employees. that's just one example at the local level. the coronavirus pandemic abruptly revealed how ill-prepared many of our state and local governments were in delivering vital public services securely and remotely. criminals took advantage of
5:37 pm
overwhelmed public i.t. systems generating a significant uptick in cyber crime. in response to the hearing i introduced the senate state and local digital service act. this important piece of legislation provides guiding and funding to state and local governments to form digital service teams focused on delivering fair, effective and secure public services. the bipartisan infrastructure bill as the chair has noted with president biden signed into law yesterday provides more than a billion dollars vital investments that will assist both public and private entities
5:38 pm
affected by major cyber events. these investments will save taxpayer dollars in the long-term by reducing the vulnerability of state and localities to cyber crime and ransomware attacks. i look forward to hearing from our witnesses today about the steps the biden administration has taken to combat ransomware attacks and the ways congress can ensure the united states implements a whole of government response to all cyber attacks moving forward. i thank the chair. >> the gentleman yields back, and i would now like to introduce our witnesses. our first witness today is the honorable chris ingles who's the first cyber director in the white house. we look very much forward to your testimony.
5:39 pm
congratulations on your appointment. then we'll hear from brandon wales who's the executive director of the cyber security and infrastructure security agency. originally we'd planned to hear from the director of cisa, jen easterly. she was scheduled to testify. unfortunately, she had a family medical emergency and was not able to be with us today. so we're deeply grateful to mr. wales for appearing on extremely short notice to testify today. finally, we'll hear from the assistant director of the cyber division of the federal bureau of investigation. the witnesses will be unmuted so we can swear them in. please raise your right hand. do you swear or affirm the testimony you're about to give is the truth, the whole truth and nothing but the truth so helpia god? >> i do. >> let the record show the witnesses answered in the affirmative. with that, director inglis
5:40 pm
you're recognized for your testimony. >> thank you for the opportunity to appear alongside you today, and assistant director from the federal bureau of investigation. cisa's role is the operational coordinator for federal cyber security and support to our nation's critical infrastructure combined with fbi's deep expertise and its essential role in victim assistance, investigation, attribution and threat disruption comprises a breadth of experience, and resource that does make a critical difference for the american people. cyber is a team sport, and i couldn't ask for better teammates including recent actions to prevent, deter and mitigate ransomware attacks against public and private sector networks.
5:41 pm
before turning to ransomware allow me to say a few words about the office i had the privilege to lead. the role of the national cyber director was established in the congress in january this year. i am grateful for the confidence the president and congress have placed in this role and for the essential investments in cyber security you included in the recently enacted infrastructure, investment and jobs act. at the same time i announce the designation of the deputy national cyber director for federal cyber security. a dual a added title he'll hold as the chief security officer to create purpose in our shared mission. both of these announcements lay the groundwork for a national cyber director team that continues to increase its contributions to the nation's
5:42 pm
overall cyber security posture. four key outcomes will serve as bench marks to gauge the success of the office of the national cyber director, first to drive coherence against the federal enterprise and how it supports the defense of critical infrastructure owned and operated. second to strengthen and improve private, public collaboration in cyber security. third to work closely with the office of management and budget to ensure the u.s. government aligns cyber resources to its priorities to include advising departments, agencies and the congress on recommended changes. and finally to increase present and future resilience of technology, people indoctrined within the federal government and across the digital ecosystem. as this committee well knows ransomware attacks leverage in the ecosystem. it allows connectivity and efficiency of scale unrivalled in any other domain.
5:43 pm
our competitors can achieve and these attacks are costly and pernicious. accordingly crafting a strategy to stop the scourge of ransomware has been a priority for this administration. that strategy begins with understanding what makes ransomware so effective. ransomware actors are able to purchase their tools on the black market which once exposed can be torn down and quickly rebuilt. the systems these criminals target are far too often left vulnerable by failures to patch, to properly secure data, to create reliable backups or to ensure front line employees of targeted organizations exercise basic cyber security practices. inconsistent application of anti-money laundering controls
5:44 pm
permits criminals to leverage permissive jurisdictions to acquire and launder the proceeds of their crime. and finally ransomware criminals are often able to operate with impunity in nation states where they reside. the administration's efforts therefore include action on four broad fronts. first, disruption of ransomware infrastructure and actors. second, bolstering resilience. third,dries the use to launder ransom payments and finally leveraging international collaboration to disrupt the ransomware ecosystem and address safe havens for ransomware criminals. consistent with and supportive of the strategy the biden administration supports legislative efforts to require reporting that would help prioritize the precious resources to support victims, disrupt threat actors and guide future investments to improve
5:45 pm
resilience. thank you for the opportunity to testify before you today. i look forward to your questions. >> thank you for your testimony. mr. wales, you're now recognized. >> thank you for the opportunity to testify today on behalf of the cyber security and infrastructure security agency alongside national cyber director inglis. i look forward to discussing cisa's efforts to the ransom wear epidemic. responsible for reducing risk to the digital and physical infrastructure americans rely on every hour of every day. within the administration's approach to countering ransomware cisa's focus on
5:46 pm
bolstering resilience. unfortunately, strengthening resilience to withstand ransomware attacks is arguably the most difficult of our collective efforts because it ultimately relies on changing human behavior. certain steps are easily implemented at the individual level. they're much more difficult to implement at community, business or organization wide. building resilience requires a long-term investment in people, processes and technology. every organization that wants to avoid being a victim of ransomware must invest in the practices that would keep their customers, their systems and their data protected. investments that make good security and business sense. the question we need to ask ourselves is what do we do now to truly have an impact? i point to three things. first, we must give people the tools and guidance they need to increase their resilience and security. that is why cisa is working to raise awareness and promote
5:47 pm
basic cyber hygiene across tens of thousands of businesses and cyber organizations and governments throughout the country. earlier this summer we led the development and launch of the u.s. government's official repository of resources from across interagency to help public and private organizations tackle ransomware more effectively. today stopransomware.gov has had 450,000 page views. and our assessment tool has been downloaded over 150,000 times. second, because vulnerabilities are widespread across technology environments it is increasingly challenge for any organization to prioritize which vulnerabilities to fix. so last week we released the operation directive which established the dynamic cisa managed catalog of more than 300
5:48 pm
known vulnerabilities that are exploited requiring federal agencies to remediate such vulnerabilities within a specific time frame. while aimed add the federal government we strongly encourage every organization to adopt this directive and prioritize mitigation of these vulnerabilities. those listed in cisa's public catalog as we continually identify newly exploited vulnerabilities. third, we must drive impact at scale if we hope to achieve the level of resilience we seek. critical to that effort will be our partnership with key players who could help us achieve broad-based effects. two groups of outstanding thought leaders and experts will provide critical perspective, insight and knowledge in dealing with our most difficult cyber challenges. these efforts build on the recently launched joint cyber defense collaborative or jcdc, a partnership between key federal agencies and private companies who see across networks and industries to help us identify
5:49 pm
emerging threats, provide actionable information and take action at scale to reduce the risk of compromises of all types. finally, perhaps the most important role is to leverage our expansive information sharing. but presently we only receive information on a fraction of incidents. this hampers our ability to conduct critical analysis, spot adversary campaigns, release mitigation guidance and provide timely response. this leaves critical infrastructure vulnerable which is simply unacceptable. providing this information to cisa and our federal partners will allow us to enrich it and get it out broadly. given the importance of visibility into the true size and scope of the cyber threats facing us, i urge congress to move quickly on the urgent priority of adopting instant notification legislation. today marks our third anniversary of the cyber
5:50 pm
security and infrastructure security agency. you have entrusted us with a critical mission, and i am honored to work alongside an incredible group of men and women who execute that mission with professionalism, integrity and excellence. thank you for your partnership and support. our nation is attacks undertaken by both nation states and criminals. in collaboration with our government and critical infrastructure partners, international allies, and with the support of congress, cisa will continue to lead our national call to action. i want to thank you again for the opportunity to appear before the committee. i look forward to your questions. thank you. >> thank you for your testimony and for responding on such short notice. and our last witness today is assistant director vorndran. you are now recognized for your testimony. >> good morning, chairwoman maloney, ranking member comer, and members of this committee. thank you for the opportunity to be here to represent the fbi and our cyber program and to sit with chris and brandon as a unified front against a growing ransomware threat in this country. the three of us and our staffs
5:51 pm
are constantly in touch and i appreciate the work both of them and their organizations are doing to keep this country safe. i would also like to thank in no particular order the department of justice, the secret service, u.s. cyber command, nsa, cia, treasury, and state, all who have a significant role. i hope everyone leaves the room today understanding that no one federal agency can tackle cyber threats alone but that we each have unique authorities and capabilities allowing us to create a whole greater than the sum of our individual parts. ransomware may just now be grabbing the headlines but the cyber threats facing our nation aren't new. in fact the fbi's cyber division is turning 20 years old next year. over that time we've learned a lot, most notably how to work within the interagency, with foreign partners and with private sector companies. we also have recent reminders about the long arm of the law with the arrest in poland of the individual who conducted a ransomware attack against casea.
5:52 pm
our current strategy is focussed not just on indictments or arrests, but though we do think it's important to remove players from the field, but on pursuing and disrupting the actors, their infrastructure, and their money, all while providing help to victims and actionable intelligence to warn potential future victims. looking ahead, i have no doubt the playing field and the rulings of the game will change over the coming months and years in the face of this threat evolving. i believe our interagency team is improving each day and we're excited for the opportunity to continue to serve and protect our country from cyber threats. as chris mentioned, there are four critical outcomes for all of us. federal coherence, improving public/private collaboration, aligning resources to aspirations, and increasing present and future resilience. the fbi, due to its unique authorities, will play an important role in achieving each of these outcomes. but the fbi won't be able to fully support these strategic outcomes if we don't receive timely information about cyber breaches. as the cyber threat has evolved
5:53 pm
over the past 20 years, one thing has remained the same. the fbi has been at the center of acting on u.s. based cyber threat intelligence. it's what we do best. when i discussed the fbi's value proposition in cyber with people who want to see this country succeed, i describe it this way. the fbi is the only agency in this country who can get a well-trained agent working with local computer scientists, intelligence analysts and others on any doorstep in this country within an hour. cyber is a global, mostly foreign-based threat. and we can be on the doorstep of foreign law enforcement and intelligence services in a position to assist within a day in over 70 countries too. our agents care. they want to make a difference. that's why i and almost everyone else joined the fbi. now, i know there are several cyber incident reporting bills currently being considered, and i can't stress enough the importance of the fbi receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in
5:54 pm
unison with our federal partners at cisa. the faster we get this information, the faster we can deploy a local cyber threat expert to a victim's door, track, freeze, and seize funds taken and ultimately hold cyber criminals accountable. 24 hours probably wouldn't seem like a big delay to most people but the help we can offer within that time can be the difference between a business or a piece of critical infrastructure staying afloat or being crippled. let me state the same as a sports metaphor. why would a team bench one of its best players in the first quarter of the super bowl? it doesn't make a lot of sense to me, and we're all focussed on the incredible harm cyber actors are causing to give those criminals a head start against the people protecting the public, doesn't make sense. as the u.s. government continues to hone its approach to this problem, to take full advantage of all instruments of power at its disposable, i believe we'll see two significant types of outcomes. first, we want to degrade the ecosystem where it is no longer worth our adversaries' time and
5:55 pm
effort to commit these crimes. second, we do want to remove players from the playing field. it's awfully hard to hack a computer from behind bars. >> thank you very much. i now recognize myself for five minutes. the united states is a major target for ransomware attacks. it's really a threat to our national security. it's my understanding there is legislation attached to the ndaa that will allow our government and require our government to start tracking data on cyber attacks. i'm hopeful that this will be signed into law. this is a good first step. many other experts tell me the next thing we have to do is get a stronger coordination between the private and public sector,
5:56 pm
which mr. vorndran spoke about in his testimony. it's hard for the government to responsibility and help if we don't even know about the attacks. there have been numerous bills before congress, for a long time. we have not been successful in passing them because there is resistance and really objection from the private sector. i understand that england has been successful in setting up systems that have the private sector now working with their government to respond to cyber attacks. i would like to start with mr. wales, but invite our other two panelists to answer if they would too, what can we do to pass this legislation, put in place this type of cooperation? this is a threat to our national security, our economic security, and certainly to the public and private sector. so if we could start with you, mr. wales. >> sure. so i'll answer the question in kind of two parts. the first part is associated with the legislation you're discussing. i think as both -- all three of
5:57 pm
us said during our opening statements, passing cyber notification legislation is a top priority. we need the information because that enables cisa and the fbi to both engage with that victim, offer our assistance, understand what's happening on their networks, and protect other victims as well as all the threat response and going after the actor and following the money that the law enforcement community including the fbi begins to do from that point. but even today, there is a lot that we are doing across the u.s. government to improve our public/private partnership to enable more effective cyber defensive activities and protecting the homeland. i mentioned during my opening statement the recently launched cyber defense collaborative where we've brought together the critical government agencies like the fbi and the nsa and cyber command along with those companies in the private sector who have the best visibility into the cyber ecosystem. we're talking about major cloud providers, major internet service providers, the cybersecurity firms in the private sector who provide
5:58 pm
response, support, and protection to tens of thousands of companies across the country. as we work together to identify and spot adversary activity, as we share indicators back and forth and enrich them on both sides, we're able to provide more protection than anyone can do independently. these are the companies that can take action on a massive scale to protect networks. and so even if companies are not part of that collaborative up front, they're often being protected by the activities that are happening within that structure. it is something that is new, we've rolled it out in august. we've already seen fairly significant success in identifying recent campaigns and activities. and we really look forward to working on this more in the future and appreciate congress' support since this effort was enabled by authorities granted in last year's ndaa. >> thank you. and in the interest of time, i now want to move to assistant director vorndran. last week the department of justice announced charges
5:59 pm
against two foreign nationals for their role in the ransomware attack against the florida-based software company casea. one of the people indicted is a russian national who is reportedly responsible for over 3,000 ransomware attacks. i commend the justice department and our international partners for bringing to justice these attackers. but to hold cyber criminals accountable, russia has to play by the rules. can the charges against the russian national be viewed as a test case for russia's willingness to crack down on cyber criminals? earlier, mr. inglis has testified publicly, made public statements that because of the biden administration's active engagement on combating cyber, that some of the activities in russia seem to be more mild. but you said you don't know if this is going to be sustained. but could you respond on this,
6:00 pm
and how should the u.s. respond if russia fails to act? >> thanks for the question. i would default the -- or defer the question about the administration test case to mr. inglis. from a fbi perspective, we have not seen a decrease in ransomware attacks in the past couple of months originating from russia. please understand we do have incomplete data in a best case scenario, we only see 20 percent of the intrusions into the country. no different than our partners at cisa. but the fbi has remained focussed on investigating cyber criminals in and around russia for well more than a decade at this time. so the indictment of polianan is just the latest indictment that we've pursued based on criminal conduct here in the united states. >> would you like to comment, mr. inglis? >> yes, ma'am, i would simply add to that that it's very important that russia play a part in this. it is far more effective to stop these threats at their source. and a permissive environment, if harbored, if given safe haven by
6:01 pm
the russians, would encourage more entry into this space. that being said, we're not powerless. we're kind of using only the russians as a tool to push back on this. the strategy that i articulated earlier and that others have reflected on actually says we can become a harder target, we can increase resilience and robustness, we can bring international coalitions to bear, we can find these transgress sors not simply in russia as they travel to other countries or ship their elicit gains broadly across the internet. so all of those instruments should be brought to bear. we will continue to pressure the russians very strongly to help them understand they must do their part. >> the gentleman yields back. my time has expired. in answering the question, i went over time. i give certainly as much time and more to my distinguished ranking member mr. comer. >> thank you, madam chair. in early july, a florida software company became the victim of a ransomware attack causing widespread outages for over a thousand institutions
6:02 pm
ranging from hospitals to schools to grocery stores. it wasn't until july 23rd, three weeks later, that the company announced it had received a universal decryption key to help companies restore their files. in september, "the washington post" reported the fbi had secretly obtained the digital key to unlock these files yet sat on it for three weeks and never told the companies, costing untold millions of dollars in recovery costs. the fbi's rationale apparently was to carry out an operation to disrupt the hackers, a group known as revil, yet according to the group's post the platform went offline without government intervention before the fbi even had a chance to execute the plan. in september, the chairwoman and i wrote to director wray asking for a briefing on the fbi's decision. we never received that briefing.
6:03 pm
and mr. vorndran, i'm going to address my first question to you, but with respect to the briefing, i understand that you're not at the top of the organizational chart of the fbi, but please relay to director wray when the oversight committee requests a briefing, we expect a briefing. i don't think it's any secret in eleven months, we're probably going to be sitting over there, and we're going to have a lot of questions for the fbi from the steele dossier to the ransom ware attacks we have a lot of questions from the fbi, at the very least, when we request a briefing, especially in a bipartisan manner, we expect a response. mr. vorndran, and behind the fbi's decision to withhold the digital encrypter key, can you explain why? >> sir, i think the question is how do we do what's in the best long-term interest of the public and balance that with protecting
6:04 pm
the public in the short term. stated differently, if any one of us had a loved one with a disease and we could take a longer-term approach to completely eradicate that disease, takes a little bit of time, perhaps a little discomfort for a loved one, we probably prefer that over a less effective, shorter term solution because in the end we would know we would have more long-lasting effect. the decisions that you're referring to in asking about -- are very, very complicated and they're ones we take seriously. and it's why decisions like those are not just made within the fbi but they're taken into an interagency environment for final determination of what makes the most sense. i think it's also really important to remember that those decrypter keys you're referring to were developed and coded by safe harbored criminals. in this case, we took an extensive process to develop a
6:05 pm
safe and effective way to deploy that decrypter key to the victims at casea. obviously grabbing malware coded by criminals in russia and deimpeachment on to u.s. infrastructure would not be a wise decision. and those things take time to get right. we repeatedly tested that decrypter in different environments u because an even worse case scenario for us would providing criminal-generated decrypter keys to victims that introduced new vulnerabilities and back doors into u.s. infrastructure. so i'll stop there for today, sir. >> did the fbi conduct any estimates as to how much money was lost by the hundreds of institutions due to the bureau's decision to with hold the digital encrypter key? is that -- >> sir, i'm not prepared to answer that question today. >> we would, you know, that's -- we get complaints from businesses as their representatives and as members of congress about decisions government agencies make, and it's always frustrating when the
6:06 pm
government agencies or bureaucracies don't take into consideration how much this decision will actually cost. and that's a problem. director inglis and mr. wells did your agency agree with the fbi's decision to withhold the digital encryptor key and was the decision unanimous or was there dissension? >> thank you for the question and the opportunity to comment. my organization was not in place at the time that this operation was in place. took place, but my read of the record was that this was a well-discussed and consensus position of the various agencies that had the opportunity to comment. and simply observe as assistant director vorndran said, there was never a question about the desire in a timely, broad way to disrupt this action and save the downstream effects on potential further victims. the question at the end of the day is how do you maximize the timeliness, allow the criminals to escape, to take their access
6:07 pm
to various customers that haven't been sprung and spring them at some later time. if you wait for a while, and that is therefore a very subjective choice, one that must be well considered, you might then be able to simply remove the entirety of this threat from the landscape. if you wait too long, then there are too many victims. there's something between zero and infinity that you have to come down to align on timeliness and strength. >> mr. wells? >> i think director inglis' response was -- you know, on the money. this was a challenging environment. and i think anytime you're in the middle of an incident response, balancing the various equities of what can be shared publicly, what needs to be held back so that you can achieve longer term benefits. those are part of on going discussions during every incident response that our agency in cooperation with the fbi is involved in.
6:08 pm
and i think that care and open discussion was evident in this case as well. but i don't think there's anything else we can say about what happened in the interagency right now. >> i'll close with this, madame chair, i strongly encourage the fbi and whoever in the biden administration is faced with this decision again to take into account the hundreds of millions of dollars that private companies are losing by a decision to with hold unlocking that. that's something that should be taken into account. with that, madame chair, i yield back. >> the gentleman yields back. the gentlewoman from the district of columbia, ms. norton is now recognized. ms. norton. >> thank you, madame chair for this important hearing. very important. the focus of ransomware and the news has been on big corporations. i was astonished to find that
6:09 pm
schools are more likely to be the target. and yet they have the fewest resources to deal with this matter. so i look for examples and i have found that in brown county, broward county, florida, a district there, had a demand for $40 million in ransomware. and when the school district refused to pay, the hackers posted 26,000 stolen files on the internet. so harm can, in fact, be done. mr. wales, it looks like schools face unique risks. and i wonder what can be done.
6:10 pm
they have few risks, yet we need to strengthen this cyber security in k through 12 schools. could you briefly, mr. wales, i thank you for agreeing to be here on short notice, briefly say what cisca is doing to address the problem of ransomware against schools. >> sure. thank you, congresswoman. we are and have been working hard to expand our outreach to school districts as a result of the growing threat of ransomware that they have faced. i'm particularly making them aware of the free resources that are available today that can help them improve their cyber security under a cooperative grant to the multistate isac, which helps support state and local communities throughout this country. there are a number of free services that the msisac offers
6:11 pm
to school districts and other state and local governments that can help them provide critical protections, including things that block malicious domains. they provide initial triage and support during incident response. and there is more services that can be taken on. unfortunately, school districts are among the least signed up for a number of free services. we're doing a lot to raise awareness. in addition, thanks to some additional authorities provided to congress last year, we have been hiring state cyber security coordinators that are designed to live in each state, and work directly with the state and local governments in their areas to make sure that they understand the services that are available, and we now have 36 of them on board throughout the country, and part of their job is to help conduct this kind of outreach and awareness. in addition last month, the k through 12 cyber security act
6:12 pm
was passed and signed by the president. that required us over the next 120 days to better identify what more can be done to support state and local governments when it comes to protecting school districts, and to begin to roll out those services, including new trainings and we have a team across our agency working with relevant interagency colleagues like the department of education on our response to that legislation and we look forward to briefing congress on our plans in the coming months. >> mr. wales, it does look like you are doing a great deal, but the department of education in our report that has recently been issued by the jao noted that various services to help k through 12 with cyber threats appear to have an extremely low participation rate.
6:13 pm
you have something called albert that schools can get for a modest fee. yet less than 10% of districts across the united states have signed up for this service. mr. wales, how can we encourage better participation and programs at cisa, that cisa funds and offered to school districts around the country. is the fee too high, is there lack of awareness about the program, what's the problem, and what can we do about it? >> i think like a lot of our cyber security challenges, this is a multifaceted problem. we do need to do more to raise awareness so that people at school districts and there are a large number, i think the number is around 13,000 school districts throughout this country, we need to raise more awareness so that those folks
6:14 pm
working on -- >> 15,000. >> 15,000. we need to do more to raise awareness so those people know understand what resources they can get, including a number of free resources. for some things it's going to require an investment. we are very hopeful with the new state and local cyber security grant program that was established in the infrastructure bill that was recently signed by the president will give us more ability to provide resources down further into the state and local governments, some of that money can be used to protect schools. that will be part of the ongoing conversation we have with the states about the implementation of that grant program over the next several years, so we think help is on the way, but this is a collective problem, and i think anything that you can do from your purchase to raise awareness in the districts that you represent about the services that are out there and reaching out to the government to see what else can be done to protect the nation's schools, we'd strongly encourage you to do that and we're willing to provide any support to help enable that kind of outreach and engagement.
6:15 pm
>> thank you, mr. wales, my time is expired. >> thank you, the gentleman from south carolina, mr. norman, is recognized. >> thank you, madame chairwoman. director inglis, you have a big job. security of america is being compromised by this administration allowing the millions coming in here from 152 countries that we have no idea what they're -- why they're coming. do they have terror backgrounds and the task that you have along with the others is unbelievable now. you mentioned russia. and you mentioned pressure points. the only non-pressure point that this administration has done is allow them to build the nor stream pipeline which aids and abets russia, the very country we're attributing the cyberattacks to. so what pressure -- what specific pressure points do you
6:16 pm
think this administration with their record will actually do to bring them to comply? is it just to ask them to be nice? >> so thank you very much for the question. it's an important question. this administration, not unlike other administrations has been very clear with the russians about what we expect normal behavior looks like. not simply -- >> in words. >> in words. not simply kind of articulating what we believe they should not do but what they should not harbor as safe havens in their country or abroad. we brought an international coalition to bear to make the same statement. >> give me specifics, what pressure points with a rogue country like russia, what specifics do you think as head of the national cyber security team would be implemented to use leverage to stop their actions? >> the first opportunity we give them is to simply, of their own accord to cooperatively respond to the question we made.
6:17 pm
>> just more words. >> we have provided information to them. we are now assessing whether they provide that we would withhold certain diplomatic status, certain economic benefits. >> what? give me specifics, what would you do specifically that would at least slow them down as to the cyber attacks and you give them, i know words, but words with this administration mean nothing. >> attribution is important in this case. i think that we have clearly attributed these actions to persons who operate in the russian or russian near abroad. we have not attributed these actions to the russian government. we therefore have to give the russian government an opportunity to understand what the nature of that problem is and then to address it. our patience is not unlimited in that regard. we have conducted a number of what are called expert group meetings with the russians to make it crystal clear who we think is accountable here and what we need them to do about that. there is a limit to that patience, and when that is done, there are diplomatic and financial remedies brought to bear on the leadership of those
6:18 pm
entities. we have also brought 30 nations to the city to have a discussion about what an international coalition might do in this regard, and i think that russia clearly sees that the deck is stacked against them in that regard, and they must therefore act. >> in all due respect, you gave words, but you didn't have any specifics. it's just asking. it's pleading with them. i feel for you and your job because the next major attack, if it's on our energy grid, for example, our water supply, which is -- i don't know whether it was one of the 17 items that this president mentioned that were off limits, asking them not to attack that. i don't know if that's on the list. at what point is this a declaration of war, a declaration that we cannot put up with. what's this administration going to do other than words?
6:19 pm
>> it's an important question, and there are multiple pressure points. russia is one of those pressure points, but we can also make it such that we're a harder target and they simply cannot prevail the criminals harbor ord given safe haven by russia cannot prevail because we correct the errors that we make in the construction of the defense of these systems. we can ensure we disrupt the architect used against us. and we have done that. there are any number of examples in the last week of that. >> what? give me some examples of that. >> essentially taking the money back from the criminals. there are two occasions in the last month where we have done that. we have arrested and extradited -- >> were they in the country? were they already here? or did you have to -- >> as you note, sir, cyber space is a borderless terrain. therefore as much as they can reach us, we can reach them. >> it's borderless but it's got people behind it. >> it does have people behind it, but therefore if we bring allies to bear, we can use jurisdiction in places like poland and romania, the most two recent examples, to apprehend
6:20 pm
criminals and bring them to justice using the courts of the law that exist in the west, so all of those remedies, essentially giving russia, the ultimatum, we have to give them an opportunity to understand and address this. two, addressing the actors and the infrastructure that is essentially holding us at risk at the moment, and making sure we're sufficiently resilient and robust. some of those will make a difference. some of those can in fact push back on this threat, deterrence isn't found by simply shooting your way out of it. that's an important part of the solution, but ultimately you need to make it such that you're a hard target and proactive. and robust in your defense -- >> they're shooting their way into us. i yield back. >> the gentleman yields back, the gentleman from massachusetts, mr. lynch is recognized for five minutes. >> thank you, madame chair, thank you for holding this hearing, and i want to thank our three witnesses for their great work and i understand how difficult this challenge is. i also serve as the chair on the fintech task force over in the
6:21 pm
financial services committee, so i'd like to change gears a little bit and talk about some of the ransomware attacks that have been happening with financial services firms. i know that earlier this month, the fbi released a private industry notification, and basically it reported that ransomware attackers are now leveraging specific significant financial events, such as mergers and acquisitions, initial public offerings as a focus point to launch ransomware attacks, and the idea is for the ransomware attackers is to impact the victim companies share price at that crucial time. you know, at the point of a merger or acquisition and an initial public offering. most recently, the ransomware
6:22 pm
group darkside, that's the same group that is responsible for the attack on the colonial pipeline in my part of the country and it has shut down major fuel supplies on the east coast. they recently said about these type of attacks and i'll quote them, if the company refuses to pay, we're ready to provide information before the publication so that it will be possible to earn in the reduction price of shares. basically they're providing information to short the stock. and assistant director vorndran, ransomware attack is usually not something that is on the top of a company's mind, you know, there's a lot to do with an ipo or with mergers and acquisitions. i'm just wondering, is this a particularly vulnerable moment for these companies and how much damage can a ransomware attack inflict, especially during this process? >> thank you, sir, for the question. you know, i think as the threat
6:23 pm
has continued to evolve, we have seen our cyber adversaries continue to change direction where they have the most leverage. so the private industry notification that you're referring to highlights a vulnerability for companies in your discussion in the financial space that have a lot to lose during the m & a process. and i think if i were a company, the primary recommendation i would have would be to evaluate all the vectors of risk through that m & a process, and how you going to manage that situation if something does go wrong. but to director inglis' point, a lot comes back to our resiliency posture. the same question has to go to the companies have they taken the precautions that they deem appropriate for that risk profile, as they go through an m and a process. i'll stop there and certainly
6:24 pm
happy to take followup questions. >> sure. are we doing anything fbi or mr. inglis or mr. wales, are we doing anything with some of these companies at this moment, you know, looking at ipo or working with nasdaq or the exchanges so we can identify that point of vulnerability and have them, you know, plus up their own security so that at least they're aware and taking proactive steps to defend themselves during that period of vulnerability? >> sir, i'll take a first stab at that. i think we have fairly aggressive posture when it comes to working with the financial sector. it's one of those sectors that has focused heavily on organizing itself to make sure they are sharing information amongst the various companies in the financial sector, and that they want to work very proactively with the government to share information and to take action when possible. so that partnership is good, there are a number of organizations that have been set up to enable that type of strong
6:25 pm
prior partnership in the financial industry. there is certainly more that can be done. i think things like the industry notification that fbi had mentioned earlier are designed to feed into that process, raise awareness inside that community so it can be more of a focus. but i would say, sir, you know, you're looking at one side of the challenge, but this is industry wide. it shouldn't matter whether you're going through an ipo or not. every board should care about the cyber security of their company. it should be part of the questions on due diligence when they are going through m & a in every case. and so we are trying to do more to make sure they are asking the right questions and taking the right actions quickly. >> okay. i was trying to get another question in but my time has expired. thank you. i yield back. >> thank you. the gentleman from pennsylvania, mr. keller, is recognized for five minutes. mr. keller? >> thank you, madame chair, and thank you to the witnesses for
6:26 pm
being here today. the increase in both frequency and severity of ransomware attacks shows the urgent need for action. so i appreciate the topic of today's hearing. malicious attacks represent a very real threat to american's privacy, financial well being and the integrity of our national infrastructure. we cannot afford to let these continue to happen. so i would just like to ask assistant director wales, we all know the fuel prices are already skyrocketing, gasoline is already a dollar more per gallon than it was last time this year and americans are projected to pay up to 30% more to heat their homes this winter. cyber incidents such as the colonial pipeline attack just six months ago underscored how vulnerable we are to various cyber threats. can you explain to us how
6:27 pm
another ransomware attack on a pipeline or other critical energy infrastructure might affect the already high price of fuel. >> sir, your point is exactly right. during times like this, the infrastructure becomes even more critical because disruptions could have even more significant consequences and it's why we continue to encourage critical infrastructure owners and operators of all types, and across all sectors to think carefully about the risk profile that they have, the potential consequences that could stem from a disruption of their operations, and what more they can do to enhance their security and their resilience, if they have a disruption, they can get back up and running quickly, without the full consequences happening. in the case of pipelines we have worked since the colonial pipeline, with the transportation security administration, which is the sector risk management agency for the pipeline sub sector, and who regulates the security of pipelines, they have put in place a number of security
6:28 pm
directives designed to improve the cyber security posture of the pipeline industry requiring them to conduct certain assessments on their cyber security, providing those assessments to the government and provide information on cyber incidents in those sectors. there's been a lot more engagement and outreach with the pipeline industry in response to what we saw from colonial and other information available to the united states government. certainly more could be done, and we have an ongoing work program underneath the white house focused on improving natural gas pipeline, cyber security, the end of september. cisa released new industrial control system performance goals across industry, across all of our critical infrastructure, setting for the first time, what we believe should be the baseline cyber security posture, for any company operating industrial control systems until the united states, and we think we're really pushing hard on this to protect our critical infrastructure, we've got a ways to go. we really support, we're
6:29 pm
encouraged by what we're seeing and really appreciate the support we're getting from congress for some of these important initiatives. >> thank you for that, and you mentioned everything that the companies could be doing for this, and i know they're going to do that because, you know, they need to. other than -- and the importance of it, and the job of the federal government to make sure that americans and that would be companies that americans rely on and own can produce this, so other than giving putin a list of things that they shouldn't hack, you know, other than the president giving a list, which the list should be very short. nothing that affects an american or any of our allies should have been the list. i mean it would have been a really short list if i would have put it out there. in addition to giving putin a list of things they can hack, can't hack, what else has the administration done to make sure that our adversaries know that we're not going to tolerate
6:30 pm
them -- any kind of ransomware, any kind of cyberattacks on our infrastructure or quite frankly, anything of american interest around the globe. >> congressman, i'll be happy to complement the answer thus far which i support. i would say the administration, again, has been clear with the russians about what the consequences of failing to assist in cleaning up this safe haven in their near abroad would be. diplomatic, economic, indicate also law enforcement. but again, we're not powerless if the russians were to fail to take their appropriate action. we brought a coalition to bear such that that coalition will bring further pressure on the russians. we have done our own research necessary to understand who these criminals are, and when and where possible we have caused them to be arrested in the various countries they may travel to and extradited to the united states. we have followed the money flows and apprehended that money when and wherever possible. we have used our intelligence
6:31 pm
resources to assist the private sector in understanding what the threats to them are, and at the same time, give them best practices so that may up their game and become a harder target. the sum of all of those will make a determinative difference. the russians can help make that a better program but it's not a completely weak program without the russian cooperation. >> i understand the russian cooperation and what you're talking about but if you followed this around, they have been arrested and there's been some money recovered. i think that ought to be money that goes back to the american people and the people impacted by this. i would just like to know what we've done, and maybe this can't cover it in five minutes, but i would like to know what we've done to make sure that we're certain that putin is going to make sure that these things don't happen. he's going to do everything he can to stop it. i don't know that we have that confidence yet, and handing him a list of things, quite frankly, the list should say nothing. you can't hack anything or we're going to hold you accountable. thank you, and i yield back. >> the gentleman yields back,
6:32 pm
the gentleman from virginia, mr. connolly is now recognized. >> i thank the chairwoman, and i agree with any colleague, by the way, the danger of handing a list of prescribed cyber attack items is that the inference could be drawn everything else is fair game, and that's a real risk. mr. inglis, last month, the department of justice launched the national cryptocurrency enforcement team and the civil cyber fraud initiative to marshal departments resources on complex cyber and cryptocurrency investigations, earlier this year, the department also created a ransomware and digital extortion task force. in july, the national security council established a ransomware task force. we of course have a cyber division in the fbi, and we have mr. wales as the executive director of cisa. when you were, before the senate for your confirmation hearing, you said that one of the primary
6:33 pm
purposes of your position was to create coherence among federal agencies with respect to cyber security. given the proliferation of various entities in the federal government on cyber-related issues, how big of a challenge is that coherence? i worry about the traditional compartmentalization that characterizes how the federal government responds to everything. >> sir, it's an excellent question and a question that i think is on the minds of many when they look at the complicated organizational arrangements that pertain in cyber space. no less complicated than the united states department of defense, which has an navy, army, air force and now space force. it can be coherent if we use the joined in a, to use each of these deep and sharp strengths such that they collaboratively, collectively concurrently make
6:34 pm
the difference they should. that's our job, that's what we're pursuing. if you ask the task force whether they understand what the other task force is doing and how they complement each other, i think you would get a solid answer. i would be happy to come back and talk at length the details underneath all of those. if i might address your earlier observation, the president having given vladimir putin a list, if you ask any cyber expert in the united states and various other places, but in the united states, how do we describe critical functions, that person would likely say we describe them 16 ways, there are 16 critical infrastructures. therefore if you were to say don't attack critical infrastructure, turns out there are 16 definitions. it's the energy sector, transportation sector and so on and so forth. that's simply a way broadly to say don't attack anything critical. >> yeah, let me just say to you mr. inglis, i'll stipulate that last point, but with respect to
6:35 pm
your observation about my question, let me just say, the experience is at best spotty within the federal government. you look at terrorism as a challenge and the coordination among federal agencies, say, prior to 9/11, not something to be proud of, and in fact, information was withheld. information wasn't shared. intelligence wasn't shared. cooperation was not a characteristic of the culture, not only within the federal government, but between the fbi and other agencies of the federal government and our local law enforcement. >> sir, i do acknowledge this historical accuracy of your observation. you're quite correct. we have had moments when we failed to connect the dots or worse, where we failed to combine our efforts to even form the dots. i think what you're hearing from this panel today is that we understand that we must integrate and collaborate such that we discover and do things together that no one of us can do alone. that is the challenge.
6:36 pm
>> i will observe that we had the ceo of solar winds, mr. ramakrishna before this committee talking about the attack his company experienced that affected a lot of federal agencies, and his observation was having a single entity to which all of us can refer will serve the fundamental purpose of building speed and agility in this process. too much time is wasted in communicating across agencies where information is very fragmented. >> sir, we agree, and to quote my good friend jen easterly, we shouldn't need a ph.d. in government to get a cohesive response from government. >> well said. final observation, maybe to you, mr. vorndran, should companies or federal agencies or state and local governments pay a ransom? what is the guidance we give, and if a ransom is ever to be
6:37 pm
paid, should it not be a last resort rather than the first response to the threat? your observation, and what policy guidance does fbi give and then i would yield back? >> sure, i appreciate the opportunity to get this on the record, the fbi's official position is that we do not recommend any company paying a ransom. however, we understand that a company's decision to pay a ransom should be based on their own business priorities, and if they choose to pay the ransom, we would ask that they simply let us or cisa or the appropriate federal law enforcement agency they're working with at the time know because the quicker we're able to see the money the better the chance we have to trace it. so our bottom line position is we do not recommend paying ransom because it fuels a huge criminal enterprise, but we do understand it's a business decision, and we understand that that's a company's decision. >> thank you, and i yield back. >> gentleman yields back, the gentleman from arizona mr. biggs is now recognized. >> i thank the chairwoman, and i thank the witnesses for being here today.
6:38 pm
so some cyber security experts have said that diplomatic pressure, and criminal prosecutions are insufficient to deter adversaries. and that the administration should use offensive cyber operations to degrade an adversary's capabilities and create credible deterrence. i'm wondering, and i guess for each of you, is what offensive cyber operations might be effective in deterring cyber attacks on our businesses and our government entities director. >> thank you for the question, sir. i think taking a broader interpretation of what offense looks like in cyberspace, it might not be what you -- one would imagine in kinetic space, using all instruments of power, trying to impose cost to perhaps stop, thwart or apprehend, right, the threat of the moment.
6:39 pm
we can use diplomatic power to use other nations authorities to arrest extradite people, combine that with legal authority, we prosecute those people in our own court. that to the individual is an offensive maneuver. we can essentially use our capabilities to find and arrest money flows. we can use our capabilities to take down illicit infrastructure. we can collaborate with the private sector to thwart these attacks as they come across the boundaries that those various operators have. as the law of conflict would say, and i avoid the term armed conflict, this is not an armed conflict, but as the law of conflict or contention might say, the remedy must be proportional to the need. nand this case, we have many instruments of power at our disposal such that we can understand what's happening to us, engage it at the earliest possible moment and bring these threats to heal. >> director, i'm sorry, i was going to give you a chance, i'll try to get back, i just want to ask, you mentioned a number of things thought would be categorized as offensive in the
6:40 pm
cyber world, how successful, how much have you engaged in that, how successful have you been and then i'll turn the first question over to mr. vorndran, and then mr. wales. >> i think that we have applied all of those instruments to have the powers of early discernment through diplomacy, legal means, financial means, and understanding in cyber space what's transpiring and at those moments when we understand a threat is being against us to interdict that at the earliest possible moment. i would say anecdotally over the last weeks or month you have seen some evidence that those are beginning to succeed, against the nature of the threat which is long in the making, it's not unlike climate change, which is decades in the making and therefore can't be turned around in a fortnight. it's too soon to tell whether we will sustain that in a concurrent applied fashion to have the changes to make the changes necessary. that being said, as important as that offensive component is that you address and that i've
6:41 pm
attempted to explain, defenses equally if not more important, stopping these threats by simply making them such that they may not succeed is as important as any other, because there's no nation in the world that is more dependent upon infrastructure, digital infrastructure than we are, and we have to be concerned that if we were to -- >> i thank you, and as you're answering the questions, mr. vorndran, i would like to elaborate on arrest indictment and interdiction and interception of flows of money that are being -- that you are undertaking, if you can. >> of course. i just want to go back to the first question you asked, sir. one item to build on what director inglis said is we heard a reference to pre-9/11 and post-9/11, the ecosystem in cyber moves at a pace that far outpaces what we saw post-9/11 and terrorism. the reason i highlight that is because the public/private
6:42 pm
collaboration and what private sectors sees on their infrastructure is infinitely high, and without that flow of intelligence from private sector it inhibits our ability to be more proactive and more offensive. to your second question about, you know, the term following the money, we have virtual currency experts in the fbi, secret service has them, irs has them, we are all looking at those money flows, treasury is heavily engaged in sanctioning individuals and entities so that u.s. persons and u.s. businesses can't partake in that. so virtual currency remains a very key focus area in terms of putting pressure on the threat. >> thank you, and this is for you mr. vorndran, earlier this year, "the washington post" reported that the fbi refrained for almost three weeks from helping to unlock computers of hundreds of businesses and institutions hobbled by a major ransomware attack, even though the bureau had secretly obtained the digital key needed to do so. i guess the question is do you believe there are steps the fbi could have taken to provide
6:43 pm
relief to the victims of the ransomware attack without compromising the bureau's efforts to disrupt the russian-backed hackers there knowing that it was estimated that literally millions of dollars were lost by the victims? >> sir, my answer to that question is already on the record, i'm happy to go through it again if you desire. >> yes, i would. >> okay. so in direct, director inglis provides the answer as well. how do we do what's best to protecting the public in the long-term, if i had a loved one with a terminal disease, if i could take a long-term effort to sustain their life for longer, knowing i would have a more impactful outcome, i would probably play that hand versus a band-aid solution. so in our efforts, right, we thought with our inner agency partners and this decision was taken to a complete interagency
6:44 pm
team where there was consensus that it was best to play the long game. i think it's really really important to understand that those decrypter keys consider built by criminals, not built by us. taking a decrypter key built by a criminal, and simply deploying it to, in this example, the downstream victims is not a good decision here, and requires multitudes of testing environments and time tied to those testing environments to make sure we're not inadvertently introducing back doors or other malicious code on to u.s. infrastructure. >> the gentleman yields back, mr. raskin, you are recognized. >> thank you very much, in july, justice department official richard downing testified before the u.s. senate that doj believes only one quarter of ransomware intrusions are reported. at this rate, the government is missing crucial information that it could use to help ransomware victims and deter future attacks. for victims who do want to
6:45 pm
report a ransomware attack, the guidance on who to report to is not exactly clear or efficiently organized. for example, if i'm the victim, and i visit the fbi's web site to report it, i'm encouraged to take one of three steps. i can report the ansomeware attack to my local fbi field office, submit a tip through the fbi's tip portal or report it to the fbi's internet crime complaint center or ic 3. assistant director vorndran, how many fbi field offices are there? >> sir, there's 56. >> 56. so if i'm the victim of a ransomware attack, there are potentially 58 points of entry to the fbi to report the attack, counting the online portals. now, if i visit the web site stopransomware.gov, i'm advised it's the one-stop ransomware resource. i'm advised that i can report not only to the 58 points in the fbi but also cisa and the secret
6:46 pm
service which has its own network of field offices, too. director inglis, let me ask you, i appreciate the possibility that i might have multiple points of access, but doesn't this sound potentially confusing byzantine to a ransomware victim to try to figure out where actually to go? >> congressman raskin, thank you for the question. i admit if those were independent entities it would be confusing. there would be too many opportunities and you wouldn't know that it got to the right place at the right time. our job on the government side is to ensure if you told one of them, you've told all of them. cisa, fbi, secret service routinely coordinate the information they have received and we have established something called the joint cyber defense collaborative where the information is synthesized and pushed out to a much broader population. >> all right good. i want to pursue that point. when cisa receives a ransomware report from a victim, does it automatically share that information with the fbi or the secret service, mr. wales?
6:47 pm
>> yeah, so i would say that in almost all cases we're in partnership with the fbi and the also with the secret service. in almost every case where we have conducted direct engagement with or notified a victim that is always coordinated ahead of time with the fbi, we in all cases almost do that jointly to ensure that cisa's role in terms of providing support and responding to the helping to understand what happened and share information, the fbi's threat response role that we can both support that company through that engagement. >> in what cases would you not? >> you know, i don't think there's any cases where we say we're not going to do it. i just want to leave myself a little bit of flexibility if something came in in a weird way, and one of our field personnel did not report properly that it may not have happened, but that is not the standard operating procedure that we operate under. >> okay. assistant director vorndran, when the fbi gets a ransomware report from a victim, does it automatically share that information with cisa or the secret service?
6:48 pm
>> sir, i will double down on mr. wales' statements. we have central coordinating entities between fbi headquarters cyber division and what's referred as cisa central to share all of that information. all of our threat reporting and notifications flow from our field offices back into that portal. so certainly our intention and we believe our practice almost 100% of the time is crossing the coordination with cisa, but certainly none of us are failure proof. so i'm sure there is one or two examples out there we haven't gotten it exactly correct. >> director inglis a victim reports a ransomware attack through any of the channels listed on the stop ransomware website, does that guarantee every agency that needs to know about the attack is notified or is it more ad hoc, does the collaboration as just set forth by these other two gentlemen, does that collaboration work systematically and uniformly. >> as my colleagues have said, the design and the intended operation is that having told one of them, all of them will
6:49 pm
then know and be able to respond with their unique authorities. >> right. i find it curious no one wants to state categorically it happens. >> sir, i would say that the caveat here is that we're kind of allowing for the fact that is the system is not perfect. therefor maybe a situation or two where it doesn't work, we will work to correct that. >> i see. >> and identify those. >> so if it doesn't happen, that would be an accidental thing. that would not be as the product of a deliberate policy. >> that's correct. there are no policies that would fail to share but the implementation is what we're then cautioning, might not be perfect. >> if a ransomware victim thinks he or she has been the victim of a crime, they don't need to file an independent report with the fbi. it's enough to report it to cisa, for example, is that right? >> that's correct, sir. >> okay. all right. finally, mr. wales, is there any specific reporting advice you can provide to a small business owner suffering from a ransomware attack, what should they do?
6:50 pm
>> sir, we actually worked with the multistate isac to release a ransomware guide last year. it was designed for state and local governments, but it is very applicable to small and medium sized businesses, and it actually goes through kind of a checklist of what to do ahead of time, how do you better protect yourself and prepare for ransomware incidents and then goes there -- my last remembering looking at it, maybe 19 steps you should undertake if you have a ransomware incident including kind of understanding what happens, isolate your network to the extent you can, when you should turn off devices, and who you should call, kind of works through the steps as someone who has been a victim what they should do. and how they should potentially engage with an outside firm who can potentially help them, reach out the the government who could potentially offer some support. that information is out there, on stopransomware.gov, designed for the small to medium sized business. >> thank you very much. i yield back, madame chair. >> the gentleman from florida is
6:51 pm
recognized, mr. franklin. >> thank you, madame chairwoman. mr. vorndran, what is your estimate of the percentage of cyberattacks that are criminally motivated versus foreign intelligence cyber operations? >> sir, i don't have a good answer to that question today. i would be happy to take that back and give you a more refined answer. all i can say between nation state actors and criminal attacks on u.s. infrastructure both are extremely prolific. >> do you ever see or do you believe in your opinion, do you think there are nation state actors that are posing as criminals at times to probe our networks under the guise of just seeking ransomware but actually have a more nefarious intent. >> sir, we can -- it's more of a classified discussion, but what i can say here is we would refer to that as a blended threat. and so, there are some intelligence gaps about whether intel service individuals are moonlighting as criminals or state actors are hiring
6:52 pm
criminals to conduct certain activities. those are some gaps. certainly happy to have a more classified discussion with you if that's an interest to you. >> do you think the spike we're seeing is it people are more willing to report it or are there more attacks because crooks are seeing it's more profitable, more lucrative. why the recent spike, do you think? >> so our data, and again, i think it's important to highlight that we only see our estimates are about 20 to 25% of the total intrusions and i'm quite sure brandon would share approximately the same figure with you. it's very hard to say increase, decrease. what we can say, though, is that in the last six months we have not seen a decrease in the amount of frequency of reporting on ransomware attacks. we attribute it to the simple fact that it's incredibly lucrative for the criminals. that's partially due to the valuation of virtual currency but it's partially due to the vulnerability of our systems and
6:53 pm
our infrastructure here that makes it profitable in both ways. >> okay. thank you. director inglis, the colonial pipeline attack caused major disruption at the gas pumps, you know, there was talk about concern of it shutting down the energy grid, if something like that were to happen, obviously there would be mass chaos. it's not hard to think of other examples of attacking health care systems where we could see a significant loss of life. i know this isn't completely within your purview, you have it with your military background, as well, in your view, when would such an attack rise to an act of war. >> typically classically, the attack rises to an act of war when it achieves the damage, kinetic weapon would achieve, the loss of health, safety, kind of national security of a significant nature. that being said, these are serious at any level. and therefore requires that we respond fully with the remedies proportionate to that need. we need to double down on resilience and robustness, we need to proactively defend
6:54 pm
these cases and we need to find and bring to justice the transgress sors who conduct these actions. >> we talked about the 16 critical infrastructure areas, and it's one thing to reach out to, you know, a foreign country like russia and tell them pretty please, you know, please don't do these things, but should we be engaging in treaties or formal documents with other nations to establish those trip wires, like geneva conventions or something of that nature? >> there was a global group of experts sponsored by the united nations in 2015 time frame that described norms that constitute reasonable, expected behavior in this space. the united states signed on to those. just a week and a half ago, the vice president in paris announced that we would support the paris accords which are a similar articulation of what is reasonable and responsible behavior in this space. they do not have the force or effect of treaties but clearly are recognized by like minded nations as the way one should
6:55 pm
batavia in the space and the responsibilities of nations in the space. >> something like that could provide us cover and justification when violated when we responded in kind we would have the international -- >> it has practical purposes established. what we would describe then as reasonable and appropriate behavior and therefore we're able to describe what is not. >> mr. wales spoke earlier in his testimony of improving our incident reporting system. should the definition of major incident change so that congress is better informed when cyber attacks occur against federal agencies? >> i think that we need to have a standard definition of what major incident constitutes such that we can uniformly regardless of where an event might take place inform the congress of those things that are truly major or in some cases significant. to your point, if those decisions are all made locally, then there's going to be a certain degree of inherent unevenness. if we're to operate with unity
6:56 pm
of effort, unity of purpose, we need to make sure we have a common standard, a common definition, and when and where appropriate, and there are various situations where that is entirely appropriate to inform the congress. >> thank you, and i yield back. >> gentleman yields back, the gentle lady from illinois, ms. kelly is recognized. >> thank you, madame chair, as ransomware threats continue to spike, our response has been plagued by the challenge of hiring cyber security workers into the government. as of august, there was a shortage of about 36,000 public sector cyber jobs across all levels of government and about 1,700 are vacancies at the department of homeland security. needless to say, we till these positions and ensure our cyber defense systems are operating at full capacity. the department of homeland security recently made a dent in these cyber vacancies with the successful hiring initiative
6:57 pm
which led to the on boarding of 300 new cyber security professionals and the extension of 500 additional offers. mr. wales, what will the department's cyber hiring initiative so very successful? >> thank you, congresswoman. this is a high priority for both cisa and the broader department, and we've made hiring a really high priority for everyone. so just in terms of the past year in fiscal year '21, we hired more than double the new employees into the agency than we did in both fy 19 and fy 20 combined. so we are making real progress. in addition, just yesterday, we announced the launch of the new cyber talent management system, which used authorities that congress had granted a number of years ago to create a new system designed to hire cyber talent and give us additional tools to bring in and recruit and retain the best and brightest into the government when it comes to this space.
6:58 pm
we're really looking forward to using that over the next year to dramatically increase our ability to fill our ranks. in addition, we are working hard to kind of broaden that pipe work with different groups, girls who code, the girl scouts, getting more people interested in this space, aware of the opportunities and to highlight the importance that this kind of work plays to our overall security. and we're working hard to look at bringing new groups to bear, whether that's working with community colleges and historically black colleges and universities. there's a lot of efforts underway to grow the pipe and make sure we can bring in the right diverse work force that is expected to solve the hardest cyber challenges, i know director inglis has been working hard in the education and training space as well and may have additional points. >> congresswoman, i would simply add to that that as you've indicated, leadership matters in this regard. this is not something that can be put on autopilot. we need to revisit the
6:59 pm
definitions for these jobs to make sure we properly describe what those skills are. i think we'll find that we opened some of these jobs to a much broader population. we need to afeel the broadest possible population, use all methods and work as hard on retaining these people as we do on getting them on board in the first place. >> so the other thing i always think about, the difference between public and private, of course, is compensation. it's extremely hard for the federal government to compete, you know, with outside private corporations. so one proposal i put forward with rep gonzalez in the ndaa was creating a cyber digital reserve corps to bring in private sector talent to complete rotations at federal agencies. director inglis, how can the federal government overcome this compensation discrepancy so we can compete with others and get top talent? >> congresswoman, i quite agree that money is an important determinant when people select
7:00 pm
or stay in jobs, so is job satisfaction. so in that case, i think we need to be competitive, but we're not going to pay the largest salary, congress has given many tools to the federal government that i think we can and should employ. we need to work hard as we do at giving job satisfaction feedback to the people who take these jobs, such that they stay on the merits of the sum of those factors. but as director inglis notes, were never going management system, let me say, that we rolled out, does include the ability to pay more competitive salaries. we will not be as competitive as the private sector but the opportunity to work in government and do things in the cybersecurity feel that you cannot do any place else, i think, is an attractive opportunity for a lot of professionals in this space and it is incumbent upon us to demonstrate that opportunity when we are engaged with
7:01 pm
audiences and particular perspectives for jobs. >> my other question goes to attracting diversity but you talked about that already. i don't know if you have anything else you want to add. and mr. wales, i hope the people you send out to recruit have the passion that you just displayed about it, so hopefully, if they are like you, we will be able to get the people that want to work for the government but i don't know if there is anything you want to add around the diversity piece. >> the only thing i will add is that the increasing diversity of our workforce is one of our highest priorities, one of the highest priorities for director easterly and we are seeing the results of that in new employees, particularly junior employees. we have a pipe of cyber professionals that will represent this country well. thank you. >> thank you and i yield back. >> the gentleman from new mexico -- the gentlelady from new mexico,
7:02 pm
ms. herrell, is recognized. >> thank you, madam chair, this is an important hearing, it's vital that we confront cyber attacks on our government and on critical infrastructure, the food industry and energy. director inglis, as you know, jbs faced ransomware attacks on the second largest process of beef, pork and poultry. jbs supplies about 25% of pork and poultry to the united states. contrary control heightens the potential for severe disruptions to our food supply and it is vital that we mitigate against future risks. i actually think it is dangerous in and of itself to have four companies controlling 80% of the beef processing industry. but what i want to ask you is, director inglis, do you agree that such concentration of our food supply creates an additional risk for cyberattack? >> the concentration, of course, he is a concentrated target for
7:03 pm
risk. that is not an unfair concentration if we make it sufficiently resilient and robust that it is nearly impervious or resilient to those attacks. i think our first endeavor is to take the systems that we have and make them more resilient and robust. it is a hardware problem, a software problem, a people issue, a doctrine issue. it doesn't necessarily have to beat all of us to get one of us. make sure we are pro active defenders of the supply chains and use all the instruments and government instruments in a given incident so that we can quickly restore the systems to their proper function. >> right. i thank you for that, because i think -- and you actually answered my next question, which would have been, well, what is the administration to put protections in place so that we don't have a threat to, especially, our food supply. the administration is also considering shutting down a liquid gas pipeline that
7:04 pm
transports fuels from wisconsin to michigan to ontario. i think this would be reckless and a danger to americans in the winter, causing a surge in prices for heating oil. this is an unnecessary danger to the american people, especially if we consider what is at risk from cyberattacks. occurred earrather than thinkint shutting down a vital pipeline, is the administration studying how to prevent future pipelines? like the colonial pipeline attack that occurred? >> i will start and i will happy be happy to refer to director wales. the answer is yes. looking at the critical infrastructure sector, the components, the government has stepped forward to determine whether or not discretionary features in software or hardware that are required to create defensible architecture -- more recently we have articulated what those should be for pipelines broadly.
7:05 pm
i will allow deputy director wales to respond. >> as i mentioned earlier, there are a number of activities underway, specifically designed to address the cybersecurity risks in the pipeline area. some of that is in response to the colonial pipeline incident. in its wake, the transportation security administration released directives designed to improve cybersecurity of critical pipelines throughout this country. some of that requires conducting more detailed vulnerability assessments, some required the reporting of federal governments to take action and response. in addition, on the natural gas pipeline side, there are activities underneath a white house ics initiative, industrial control systems, which operate the pipeline between the physical and -- is a part of that. there were certainly more work to do in recognizing how critical pipelines are to the economic security and national
7:06 pm
security of this country. it is why we are working in such close proximity with industry and our partners to provide more information, more expertise, conduct our own assessments and make sure that the pipelines are as protected as possible. >> great. i really do appreciate that and i think americans after seeing this earlier this year, they see the importance of protecting our assets, whether it is oil and gas or food supplies. you already touched on this. i was going to ask, what are we doing to counter these attacks and how we are responding to protect our nations energy sector, but you just answered it. so i appreciate your responses and you all being here. with that, i yield back. >> the gentlelady from florida, ms. the wasserman schultz is recognized. >> thank you. infrastructure ransomware attacks critical -- this is a director easterly
7:07 pm
said two weeks ago that cyber attacks on our critical infrastructure posed a serious risk to, and i, quote americanize, and florida is squarely in those crosshairs. attacks were launched on hospitals in central florida, leaving nurses and doctors with lost patient files. a hacker tried to spike the levels of sodium hydroxide. thankfully, a water treatment worker blocked it in time from causing sickness and death. in one recent attack, attackers targeted hundreds of schools, businesses and customers served by a miami-based company. this hurts more than just a little in economic distress. in may, gasoline prices skyrocketed following an attack. it appears that various actors target critical infrastructure, including not only cybercriminals but also nation states and their proxies. director inglis, these attacks focus on large organizations
7:08 pm
that have robust systems, but even large systems lack points of contact with the federal government. we now seem to have a patchwork of agencies focused on cyber threats. and your position, what are you doing to clarify rules and make sure that state and local governments and large government organizations and non governmental organizations know who to contact? >> thanks, congresswoman, i appreciate the question. the report released by this committee today and the findings and recommendations, one of which was, it is essential that the government be joined up in cold hearing as individual citizens attempt to seek service from that government. my office has indicated for broad outcomes that we should be held accountable for. the first is federal coherence. and that is how we manage our own digital infrastructure and how we support the defense of critical infrastructure.
7:09 pm
despite that, the federal government has a diverse -- that can be brought to bear and be joined up. such that all of us can understand and bring all the various authorities. that's the goal and that's what we should be held accountable for. make sure >> but that doesn't really answer what you are doing to clarify the roles and make sure that state and local governments and large ngos know who to contact and how they should respond -- >> let me give you some specifics, then, on that. since the office was created and funded yesterday, but since the office was created i've worked closely with the cybersecurity and infrastructure security agency, cisa, to ensure that they have the necessary inputs from sector risk management agencies, classically the federal entities that deal directly with critical infrastructure at the department of energy, defense and so on and so forth, such that if you report it at the interface of one of those critical sectors, cisa would
7:10 pm
receive. that in the same way, i have worked with cisa to make sure that they synthesize and get the big picture that that was then disseminated broadly, right, to all of the respective organizations so that if the government knows something in any particular place, that they know it in every place. and more importantly, we push that proactively to the beneficiary. that work is not complete. right? it is a very diverse and grew up as a set of separate stovepiped. but that's the work that we have been doing and i spent arguably half of my time on that issue. >> thank, you i appreciate that specificity. i also want to follow up on the response to chair connally's response to the federal government response on ransom payments. director, as you know, a cyber insurance policy deals with cost associated with a ransomware attack. consultants, data systems, bringing them back online, covering interruption losses. but some policies even cover
7:11 pm
ransom payments. given your stated position on ransom payments, what would your recommendation be to state and local governments be when they are making a decision around purchasing such insurance? >> thank you. that is a challenging space for me to venture into in my job and the organization i represent. but what i would say is simply that state and local governments need to understand that there are risk calculations and they need to understand the risk and resilience and how much time they would be able to take to legitimately bring all of their systems back online, to have a functioning state or local government. and based on the totality of that analysis, that should drive whether they do or don't want to buy cyber insurance. >> thank you very, much madam chair, i yield back the balance of my time. >> the gentleman from texas, mr. cloud, is now recognized. >> thank you, madam chair.
7:12 pm
our discussion today has rightly focused on cyberattacks, it's a big national interest, colonial pipeline, meatpacking plants and the like. i wanted to focus a bit on some of the rural counties. a lot of the district i serve is rural. we've had at least two communities affected by attacks against them. jackson county and another community. jackson county, its population is about 14, 000, three incorporated cities. in 2009 to experience a cyber attack by hackers using the riot ransomware. data backups were compromised and the system shut down and hackers demanded 362,000 in bitcoin, which, for a rural community like that, is a lot of money. they were able to -- the state of texas responded and the texas cyber incident response team, along with the texas department of information resources and i.t. contractors were able to accomplish what
7:13 pm
they said were 16 six months of work in about 16 days. they were able to recover and it was at a bit of a cost. what tools or programs are currently available for these municipalities to assess their current systems to develop and implement plans to address vulnerabilities before they are attacked? >> sure. i will start. i mentioned earlier, there are a number of services and resources that are available for our state and local communities, including rural counties and a number of these are at low cost from cisa directly. multi state not -- under cooperative grants, established under cisa, to support state and local governments. that includes assessments and actionable technology that will involve activity on those networks and some incident response supports, should they need them. i think congress has also spoken with the recently passed
7:14 pm
infrastructure bill, that there will be additional resources made available, an additional grant program established by congress in the infrastructure bill. it has a specific amount of money for rural communities and so it is designed to combat some of those challenges and areas that you have identified. and provide additional capabilities that can help them protect themselves. in addition, the infrastructure bill established a cyber response and recovery fund that will be used for the first time. and it is a tool in the face of cyber threats, in a way for the federal government to surge resources and recover from those incidents. and so we are looking now at those programs and identifying how exactly we will work with our state and local colleagues to get those off the ground. what will be the policy and parameters around getting funding available. but in case of the programs, they are good about getting that money out to communities
7:15 pm
and we are working with them closely. >> okay. thank you. director inglis, it has been mentioned already. i would like to say this article tells putin certain cyberattacks should be off limits. the logic behind this in us listing 16 areas that are off limits really does open up the door from a messaging standpoint that everything else is on limits. notably, these rural counties. you know, i would just suggest if you could take the message back to the white house that we should be having the message that all cyberattacks are off limits, and we need to be standing strong on that it would be certainly greatly appreciated. i wanted to ask you, it seems to us we are in a competition globally with other nation states. it is extremely important that we have this pipeline, and that we manage the resources within
7:16 pm
our cyber entities, and the fbi. could you speak as to how we can develop the pipeline? if i could just say this, i would submit this for the record to. he refuses to respond the memo -- as we sit here and talk about real nation state threats, and we see news like this, and we are asked to give more resources, you all are coming here because you like more resources, there is bipartisan support for no doubt. we need to firm up our cyber, it is a critical defense mechanism for our nation. but, when we see resources in our intelligence agencies being dedicated to investigate parents at school meetings, it really makes it hard to blatantly give more money to
7:17 pm
these sort of resources. so, could you speak to the -- and using the resources of our intelligence agency and security apparatus. thank you. >> sure. i think we really squarely focused on one topic. within the department of justice and the fbi, we are different from dhs, and different from d.o.d. and an essay, where we do not have a special pay scale for our cyber talent. with d.o.d., and an essay, and what dhs can pay someone who is 22 years old coming out of college with the computer science degree far outpaces or skill by approximately 50%. that is a very significant concern of ours moving forward. we do believe that once we have people in the door, that we can return them well, our numbers indicate that. a rate is well over 99%, it has been well over 99%, but the key is how do we attract that
7:18 pm
talent, especially the technical talent. right now, our biggest gap is the pay gap when we compare directly to our counterparts in our federal government. >> into the questions of resources being used to investigate parents instead of going to other actual national security threats? >> you know that i cannot comment on that. that is a memo that was issued by the attorney general, and i am here to represent the fbi cyber division. >> is the fbi taking the memo seriously? >> i am not in a position to answer that question, i am sorry. what i can tell you is that our cyber division uses our resources very, very squarely on cyber threats. >> the gentleman's time is expired. the gentleman from illinois, mr. davies, is recognized for five minutes. you need to unmute mr. davis. mr. davies, we cannot hear you, you need to unmute. >> thank you madam chairman.
7:19 pm
this hearing is focused on the needs of the federal government marshal, all of its resources to strengthen the cyber defensive against ransomware attacks led by national cyber director chris inglis, and -- the success of my ransomware policy will not be completely determined by the makers and government buildings. it will also be determined by decisions made in company board rooms by businesses, even on local school boards. director inglis, you have previously stated, i quote, we need to increase awareness so that every citizen, every person who experiences cyberspace has what is necessary to cross the digital cyber street, in the same way
7:20 pm
that we teach children to cross actual streets, and of quote. of course, large corporations have entire departments dedicated to i.d. -- it, where small businesses and individuals typically use off the shelf it products, and have minimal expertise in cyber defense. director inglis, how important is education and outreach to improve in our nations cyber defenses, and how can we effectively communicate this need to individuals and organizations of all sides? >> congressman, thank you very much for the question. i stand by those previous remarks and i would say that it is very important to give the -- the definition that i like of what's cyberspace is, cyberspace the known is, of course it is technology. but, it is also people, not simply people being served by
7:21 pm
cyberspace, people are in cyberspace. the decisions they make determine the operations of cyberspace. finally, doctrine, how do we get the roles and responsibilities right? two of those pieces, people in doctrine, depend fundamentally on people understanding how cyberspace, works with the rules are in cyberspace, and who is doing what's in cyberspace. who is accountable to defend what under what circumstances. that is not simply something that people have the word cyber, or i.t. in their job tour title need to get their head around. everyone. everyone could be the strongest link, or that we could link on the front lines of cyber. how do we do that? broadly, i think there needs to be some sense of accountability on what individuals are accountable for, organizations accountable for, the private sector, the public sector, there is an increasing awareness of that. a reduction in complacency, of this is someone else's problem, that someone else will handle what mistakes i make, we need to feel some degree of accountability. in training and awareness at the earliest possible level, i have suggested in the quote
7:22 pm
that you gave that we do that in kindergarten, right? the earliest possible moment that someone is brought in to contact with cyberspace, we need to teach them the engine outs of that. as much as we teach them how to navigate a hot stove or busy street. >> thank you very much. the national institute of standards and technology of cybersecurity framework, has five key functions that form the backbone of cybersecurity. identifying risks and protection of data, and systems detection of attacks, response, and recovery. since the director provided previously testified that 90% of the success of cyberattacks start with email, and the multi-factor authentication would reduce chances of successful attacks by 99%. do you see organizations not
7:23 pm
invest enough attention to guard against ransomware attacks? if so, please explain. >> i think as you would expect, the implementation of sound cybersecurity practices will vary significantly across the industry. there are small businesses that are going to be well protected, and there are large businesses that are going to have significant holds. we feel like it is our responsibility to help raise our baseline of cybersecurity by highlighting the key things i need to be done by everyone. get us to that right baseline of cyber hygiene, where things like multi factor identification is widely used, where privileged accounts, those that can actually affect the operations of our network are well protected, and limited and use that people are keeping up with their patching, identifying vulnerability, as we continue to hit and promote these as i mentioned in my opening statement. we recently finished
7:24 pm
cybersecurity awareness month in october, and we were extremely focused on trying to raise the awareness of the importance of multi factor identification on all accounts. in particular, those accounts with higher privileged access. you know, it is not going to be enough. there are still going to be companies who are not focused on this problem, or who will not focus on it until it is too late. until after they are hit. i think we need to do everything we can across the united states government, and partnership with the prior schachter, really the best practices that should be used, and to make sure as director inglis notes, that the right individuals and organizations are held accountable. >> let's say i am a small business owner without a dedicated eye to stuff. where should i focus more of my intention, and resources to protect against ransomware attacks? is it prevention? what should i do? >> your mic please.
7:25 pm
we can't hear you. >> congressman, we actually released on our website a list of what we call cyber essentials. what are the first things you should do when putting in place more effective cyber security, as we have highlighted implementing multi factor identification at scale, it is among the first steps we should take. but, we actually walk through a series of steps that small, medium sized businesses can and should do to make sure their lever of cybersecurity is appropriate for the risk that they are facing. >> thank you very much. >> thank you so much. the gentleman from georgia, mr. hice is recognized. >> thank you madam chair. mr. inglis, last year when congress was debating whether or not to create your position, the national cyber director, there were some concerns that we were just going to be creating, yet another layer of
7:26 pm
bureaucracy. so if you can help me understand within the context of what we are talking about today, ransomware, what role does your office play? >> thank you for the question. if i may put that in the context of describing three roles. my role being the one you have asked about. and the context of ransomware, my job would be to ensure that the various instruments that the federal government can bring to bear are deployed in a way that they are concurrent, that they are useful, that they are complimentary. therefore to be proactive and concurrent for most in mind. we have talked at some length and this hearing about the rules of sector risk management agencies like the department of energy, the department of defense, but the rules of the fbi, about the rules of cisa. my job is to ensure that they are applied, and they are applied in a way that is concurrent. looking back at the government, you do not need a ph.d. and government to essentially deal with the government. the second broad rule that i would then describe is the role of the national security council, which outside of cyberspace is accountable to
7:27 pm
use all of the instruments of power that this nation can give to a bear. diplomacy, intelligence, military resources, financial resources, sanctions that might be applied to bring about the proper conditions and in all the means, not least of cyberspace. that role is also important. the third role is those discreet individual roles of cisa, the fbi sector of risk management agencies. all of them need to do in their lanes what they do in a way that is complimentary, concurrent, coherent, such that some of those parts -- >> so it sounds like the buck stops with you, so far as ransomware is concerned for every agency of our federal government. do you set federal policy? >> it does stop with me in terms of the performance of the federal government. i am not entirely capable of setting the federal policy, often which is dictated by law, or the existing statute.
7:28 pm
to the extent that we need to adjust the various roles and responsibilities and relationships, i am the accountable person. >> as it would relate to whether or not this is an example, going to withhold encryption keys from victims as it appears the fbi has done, what role or policy would you have in that decision? >> i should be involved in that decision. i wasn't, of course, that that particular decision that we refer to in this hearing was made. but it should be at the table for that decision. i should be at the table for that decision. there are other factors that come into play in terms of making a determination about the decision of that sort. -- >> let's talk about the other factors. one other variables go into a decision of that nature? >> let's take that incident again. i was not there. so i will just kind of observe from a distance that i enjoyed. >> the buck now starts with you,
7:29 pm
what kind of variables would go into making that decision? >> there are two variables. the one that is not a variable, or issue is a desire by the federal government to achieve the greatest, broadest possible destruction of the threat that is being held against the united states, or its citizens. the variable sun dot are held timely, and held broad. can you be in the application of that disruption. if you are timely in the extreme, being that you disclose the moment you understand some insight into what the actors are doing, then you might give them the opportunity to escape kind of went their ill gotten games, and to recover, and repeat that experience on another day. you may not know enough about the nature of what they have done such that you can disrupt it more broadly. if you wait too long, such that you take it down, right, in a strategic way, you have allowed to many victims to fall victim to that. so, the alignment has to be made between timeliness and -- there is no question that disruption is the goal. >> that doesn't really answer
7:30 pm
the question in terms of variables when it comes to making a decision about withholding encryption keys. you are talking in broad principles. i would appreciate if you could give me a more detailed answer in writing. i'm going to go to you now, the fbi certainly have some credibility issues in the past years, recent years. overall, i believe americans look at the fbi as a source of confidence, as it relates to cyber area. yet, this past weekend, at least as reported and appears to be accurate, thousands of spam emails masquerading as fbi were sent to state and local officials warning them of a phony cyberattack. so can you explain to me now how this event is not raising more questions regarding the virus, the accuracy of the fbi
7:31 pm
alerts in the future? question, but let me do my best to answer it. sir, i'm not sure i understand your question. but let me do my best answer. certainly, this weekend, you know, what has -- >> let me clarify the question. i don't want you beating round the bush. the question has to do with the phony emails that went out from the fbi, warning of a phony cyberattack to state and local officials. that being done, how can the accuracy of future emails from the fbi be dependent upon from state and local -- how are they going to know what is real and what is not real, if your own cyber has been hacked? i just want to make sure we are protecting state and local officials. how they know what is coming from the fbi is accurate.
7:32 pm
what we saw this past weekend, so that it does not happen again. >> the gentleman, his time has expired by the gentleman man to the question. >> the incident that you are referring to, we know specifically how it occurred. we also know that no fbi data and no personally identifiable information was compromised. the hardware was taken immediately off line. so we considered the incident contained and it will not impact future communications coming out of the email server. >> i yield, madam chair, but that did not answer the question as to how we can rely on the fbi's information in the future. totally evaded my question and i would like an answer. thank you. >> the gentleman's time has expired. the gentlelady from new york, ms. ocasio-cortez, is recognized. >> thank you so much, madam chairwoman. director easterly, your team looked at some of the excess
7:33 pm
death data during the university of vermont health network attack. i was surprised by the conclusion of that case study, that ransomware attacks on hospitals are correlated significantly with loss of patient life. briefly, how is it that these ransomware attacks have that kind of impact? >> congresswoman, that study looked broadly at excess deaths during covid, during the covid pandemic, largely looking at what happens when hospitals are overwhelmed with icu patients suffering from covid. what were the number of excess deaths from other types of needed hospitalizations or icu admittances. so there were things like heart attacks and cancer etc. we were highlighting, during the course of that study, that
7:34 pm
ransomware incidents have the potential to exacerbate the strain on hospitals and result in additional excess deaths. and that is why it is incumbent upon hospital administrators to make sure that they have the right level of cybersecurity in place. and that they are aware of the potential for significant -- that they are prepared for what might happen should their hospitals be overwhelmed by cyber or other disruptions. and it is why we are working so hard to highlight the results from that work. in addition, what we can do to offer additional assistance to hospitals across the country, as we have been doing over the course of the covid-19 pandemic. >> thank you. and as i understand it, the victims of ransomware attacks, including institutions like hospitals, are often reluctant to admit that they were targeted and sometimes they just pay this ransom and try to,
7:35 pm
essentially, not report it. but just to confirm, and again briefly, director vorndran, paying ransom to cybercriminals, instead of working with the government, does not necessarily guarantee that that data will be decrypted or that the systems will be sick, you are correct? >> that's correct. there are no guarantees that if any corporation or entity pays ransom, that it will be decrypted. we have cases between us and cisa where the decryption keys provided by the hackers have not worked. >> and director easterly, currently, the house is seeking to pass the build back better act. among other things, this bill includes more than 400 million dollars for your agency, the cybersecurity and infrastructure -- the cybersecurity and infrastructure security agency. in concrete terms, can you help communicate to us and to the public, what that 400 million dollars would allow the agency
7:36 pm
to do? and what kind of capacity and what sort of implementation does that by a person? >> sure. congresswoman, there are a number of provisions in there that deals with cybersecurity beyond cisa. but i will focus on the provisions that deal with our agency and the additional funding that we potentially provide. and i think there is a number of initiatives there that go to a series of concerns that have been raised by members during the course of this hearing, particularly related to the security of our critical security infrastructure and the industrial control systems that allow our infrastructure to operate. there is money in there that will help us expand our ability to monitor and protect activities that are actually happening on critical infrastructure networks. and take quicker action and response. there is money in there for research and development, focused on critical infrastructure domains and industrial control systems, to identify new and emerging ways in which we can detect and
7:37 pm
protect those critical assets. there is funding in there for expanded training in education, to the workforce, it goes to topics there that we've hit on. so there are a series of provisions that will certainly help bolster us, help us provide support to the cybersecurity of this country. >> thank you very much and i yield back. >> the gentleman from north carolina -- the gentlelady from north carolina, ms. foxx, is recognized. >> thank you very much, madam chair. i think our witnesses for being here today and i have a question for executive director wales and director inglis -- inglis, pardon me. we know that ransomware attacks can be devastating. to further complicate -- face additional acquirement's, covered by hipaa.
7:38 pm
entities covered by hipaa are required to report a breach of protected health information within 60 days of the discovery of the breach. however, it can sometimes take several weeks of forensic investigation after a ransomware attack to discover that protected health information was compromised. there is pending legislation that may require the reporting of a network breach to the department of homeland security. since health care -- often need time to discover that protected health information was compromised, are there plans to address inter agency communication so that the health and human services office of civil rights 60 day countdown does not begin until the health care entity has determined that a breach of protected health care information has occurred? >> ma'am, obviously there is a number of different versions of
7:39 pm
the cyber incident reporting legislation that are moving around. they will have somewhat different responsibilities for the degree of regulatory harmonization that may be required. because, obviously, there are a number of other regulators that require incident reporting from our critical infrastructure and the financial sector and the energy sector and others. part of that legislation that we have seen would require cisa to work with those agencies if we are implementing our regulation. part of it would require, once information was reported to them, it would be for the reported to us within 24 hours of them getting that information. but it is a little too hard to say, in terms of what will be the final passage of the bill. we are still working closely with the relevant congressional committees on that legislation. i can assure you that our goal, working with director inglis and others will be to ensure the maximization of those
7:40 pm
regulations harmonization but -- >> thank you. did you want to add, director inglis? >> i would just add to the comments made. many of these bills have a rulemaking period such that the rule is not implemented immediately after passage but in some cases as much as two years after their is a full consideration of the concerns that you raise and others. >> thanks. mr. wales, attracting qualified workers is a challenge for every sector in america. with regard for cybersecurity, are there enough qualified workers for you to hire at csa? >> that question is hard. we are not hiring them in a vacuum. we are hiring them in a environment of intense competition for cybersecurity talent and we are working hard to retain the cybersecurity workforce that we want. i touch on some of those issues but i think it is essential for the nation that we grow the pipeline of people who are focused in this area. it is not going to be enough to
7:41 pm
just look at the people who are available today. we need to look at what our needs are going to be in the future. to do that we are going to need people who are interested, focused in this area and willing to devote themselves to the cybersecurity field and get involved, whether that is at the federal or state or local government level, or in academia or the research and development community, and we need people in all those areas and others, and so to grow that pipeline, we have initiatives to do it by it will take a lot of efforts to make sure that we have the talent required. >> well, chair miss cotton and i are trying to make sure that we have the workforce opportunity act. and if you have specific suggestions i'm sure would be happy to look at them. director inglis, cybersecurity is not an issue that people often think about until there is a problem. does society need to treat cybersecurity with more urgency
7:42 pm
or should cybersecurity be the role of the private sector and citizens rather than the government? >> i don't believe that this can be completely shocked out to a group of experts who build out and defend the infrastructure independent of the people who are served by the infrastructure. cyberspaceas. i indicated, peopt simply served by the cyberspace, they are part of cyberspace. individual choices made by ordinary users who depend upon it to conduct their livelihoods or their personal affairs or their businesses, those choices are actually reflected in the weaknesses or the strength of cyber space. therefore, everyone must be involved and we need, broadly, a campaign for awareness -- summary of awareness and training that equates people so that they can fulfill the rules that they need to as individuals or a sectors. >> well, again, i would invite you, if you have some suggestions on how we can enhance our national cyber
7:43 pm
security -- but you don't have a chance to talk about it today. i hope you will share those things with us. >> yes, i will indeed, with you on your staff. >> thank you very. much i yield back, madam chair. >> the gentlewoman from michigan, misses ms. is recognized. >> thank you. if you are hit with an attack of ransomware, this is an example of the graphic that you may see. this was released by a cybercriminal group i believe called -- evil. that is behind some of the most prominent ransomware attacks of the last two years, including the software provider sao and jbs foods. it was reportedly part of an attack deployed against some of the customers. there is a lot of information on here, on this page, but i want to focus on the line that says, you have two days.
7:44 pm
why didn't that deadline, it says, to pay, you know, 5 million dollars in ransom. and if you do not pay on time the price will be doubled. so, mr. wales, this is a fairly common ransom attack. to pressure victims to pay quickly, correct? >> i think my colleague from the fbi can probably describe this in more detail but, generally, if, this is what cybercriminals are going to do. they try to extort money out of victims. >> and so -- would you like to comment in regards to that? because i think the timeline and the counting down -- >> sure, i appreciate the question on the opportunity. at this point, we would agree with that. the bottom line is that it is an extortion tactic that is heavily leveraged, based on time. and we have unique data in our holdings, based on the number of holding that we have worked with, showing how long we can potentially negotiate and what type of reductions and
7:45 pm
information that we are happy to share with victims, should they be hit by a certain ransomware variant. >> assistant director and mr. wales, part of that threatening is to make use of the stolen data or destroy the key to pressure victims to pay. right? but assistant director, should >> the companies pay ransom immediately? let me split that question into two. ransomware groups are moving to a double extortion model where the ex phil data, and they hold it, dundee encrypt. it is used as an additional leverage for a double extortion option for them to hold additional leverage over the company or the affected organization. so, our position on playing ransoms has room in the same, which is that we do not recommend paying the ransom, because it fuels the criminal enterprise. but, we do understand that it is a business decision for any corporation or entity about whether to move forward with
7:46 pm
paying that ransom. the only thing that we would collectively ask us that we'd be notified as soon as possible when that ransom is being paid, so we can do our best to track the money. >> you know, director inglis, one of the things that i find here in congress in the three years that i have been here is that they're always seems to be emphasis on new laws in criminalizing. when we already, i believe, have some strong legislation now on these types of attacks, and criminal activity. do you think that it is really about resources and more funding and investment and enforcement? or do we really need new legislation to try to attack this? >> thank you for the question. i think that your question goes to the heart of the matter which is that we need a comprehensive approach. we need to double down on investing in resilience and robustness across technology, people making sure they have the right skills, and doctrine, making sure we have the right roles and responsibilities. do we in fact make it such that a transgressor needs to get
7:47 pm
passed all of us to get at one of us. we need to make sure that we doubled down on the proactive defense of the systems to detect an anomaly at the earliest possible moment, which if we fail in those first two pieces, we should have a determinative effect, we are left with responding to an incident, and perhaps chasing, finding the criminal, and bringing them to justice. if we only did that third bit, we would find ourselves in an impossible tail chase. so, we have to do all three of those. >> you know, director inglis, one of the things that i know happens even in the local government, is there a way to measure, okay we invested this much in your department or division, and the result became, are we able to really track that the result of investing build back better, what we have as millions of dollars in investment for this issue, how are we going to be able to measure that it is actually working so that colleagues can see that we need to do more in this way? >> that is a great question to.
7:48 pm
during my time in the private sector, i was often us how much money do need to properly defend this organization, cyber defense disorganization, which is typically not the best first question. the best first question is, do i understand with the role of the digital infrastructure it is, am i taking russ that i don't actually want to spend time and money to secure because it is not a risk that i think it's worthwhile? have a balanced, right, my risks such that i have done the necessary preparation, it is resilient, it is robust, am i actually following with the system is doing such that only that last bit, then can i detect an anomaly, some transgressor inside the system? you have to first and think about with the purpose of the system is, have you balanced your investments across that. if you have done both of those things, then you cannot do i need for their dollars to buy down risk to something i have determined is an essential risk, and i have determined i have not been able to secure through resilience, productive defense, or pursuit. >> thank you so much, very
7:49 pm
insightful. i yield. >> thank you. the gentleman from wisconsin, mr. grothman is recognized for five minutes. >> thank you. first question, this is for mr. inglis. as i understand it, there was recently a cyber incident, an important part of government. it took her agency quite a while to become aware of it. it wasn't reported to your agency for quite awhile. is there any reason why agencies are apparently afraid, or hesitant to share information with you? could you give me your general opinion of that incident? >> yes, so if i recall the incident that you referred to have been in late july, i think that we came forward to the congress, the federal government came forward to the congress in mid august to describe the nature of that incident, and what we were
7:50 pm
doing about that. is that the one, sir? >> i believe so. i believe your agency was not made aware right away, either. >> we were not. but my agency didn't come into being until i showed up on the 12th of july. it is almost a coincidence with the incident that was revealed as being we believed, significant. i think there is a couple of challenges here. one, that there are hundreds of things that happens in a system every day that maybe constituted as anomalous. it is not something that you would've expected, it is something that may in the end simply be as simple and autonomy, flip the wrong way, they are not old suburbans that are significant or major, so it is almost impossible instantly to determine what is major or what is not. those often take time. the transgressor doesn't always reveal their methods on that first day. so, long story made short, it might legitimately take two to three weeks. the challenge though in that particular incident was that you had an agency that determined that something had happened, it had understood
7:51 pm
that this was in the context of a lot of other events taking place, and determined on its own but it didn't meet the kind of level of something that should be reported. quantitatively, the statistics that they cited were appropriate, and therefore it was a reasonable decision locally. looking more broadly across the federal enterprise, which we are determined when we became aware of that in the middle of august was that this was an incident that could've happened in other places. we need to take that signature and check those other places which we did, and it is something that in the longer term, in the longer scheme, required an investment to make sure that we prevented this from happening again. k 2, 2.5my long story majoritiet the context matters greatly. the fact that it took two and a half weeks to get to me it is not something that i find terribly surprising. we need to be quicker on the draw. we need to reduce noise to kind of, information that matters. we need to, even make it even and level set across different departments that we come to the same reputable defensible answer day, after day, after
7:52 pm
day. that is the scheme that we are committing to at this moment. >> there was a little bit of concern that they didn't report to you quicker. next question. you can tell by the discussion here today, the people talk about china, or russia, or north korea, iran, i guess without identifying those countries, because i can imagine why you would not want to, do you feel that that is a comprehensive list of countries that you have to worry about here, or are there other countries that we should be concerned about as well? >> i think we have a pretty clear understanding of which nations hold us at risk in cyberspace, if that is the question, sir. >> and you feel that is a comprehensive list? >> i think that we know with that list does. and the names that you mentioned are on that list. >> and presumably other countries as well, i guess that is the question. >> the good news are, there are few. the bad news is, there is more than one. >> okay. should we be concerned that al-qaeda or isis will be
7:53 pm
planning an attack like that? do you have the means to do it? >> i would say that there are any number of entities, organizations, or nation states in the world that have the ability to hold cyber space, cyber infrastructure at risk. we have been discussing this morning a variety of individuals who operate in the safe havens near or russia, that have held us at risk. so i would say that al-qaeda, isis, anyone who places time and attention on the development of cyber methods could hold us at risk. we don't at the moment discern but that is at this time a risk from them. >> okay, and that would include countries adjacent to, i guess afghanistan is right now kind of in a little bit of a hodgepodge, but would you say that the successor governments, or groups operating afghanistan would be a problem? >> i am worried about any collection of individuals that would have a low cost of entry, and some ability to develop
7:54 pm
talent that could hold us at risk. again, we have been describing this morning a number of individuals who have formed themselves into a syndicate who have held this nation, and other nations at risk using the ransomware. we are not powerless to prevent that, if we increase the resilience, and robustness of our systems, we proactively and collaboratively defend those systems. >> thank you. >> thank you, and the gentleman from california, mr. desaulnier is recognized. >> thank you madam chair. thank you for having this hearing. thank you to the witnesses for your testimony. i want to talk a little bit about health care organizations, specifically hospitals. recent reports surveyed several health care organizations and found that as many as 40% of them were targets of these types of attacks. at least in one instance there was an infant loss of life.
7:55 pm
extended stays and hospitals are a normal response to service because of these attacks. an undetermined is the cost or health care system. mr. wales, maybe you could talk a little bit about why health care systems, and hospitals specifically are so vulnerable. >> sure, congressman. you know, we have had one of our senior health analyst described hospitals, and a number of other resources as target rich and resource poor. ones that are of the focus of adversaries, because they believe that they have a soft underbelly, and in the case of ransomware, but they would be able to pay to get that hospital back up running very quickly. on the other hand, they don't necessarily have the resources and capability to devote to enhancing the cybersecurity matching the degree of risk that they are facing. that is why i think that we have been trying over the course of the covid-19 pandemic to try to make sure that the hospital has become
7:56 pm
increasingly fragile, being overwhelmed with covid patients, that we were able to surge cybersecurity support to those entities, get them loaded into some of the free services that we offer, but frankly that is only scratching the surface. there is a lot more that we need to do to make sure that hospitals are as protected as they need, given the potential for disruptions there, not really significant consequences on both the communities as well as the patients within those hospitals. this is an area where there is a lot more work that is needed, i'm not here to pretend that when we have done is nearly enough. this is going to be a constant focus for our agency and the years ahead, to match the level of risk that is out there. >> i would love to work with you more, and i am sure that there are many people in the conversation that would like to work with you more. having had a health care experience, and having been in icu for a long time, this infrastructure is obviously really important, and there should be a sense of urgency, as you say, coming out of covid, both the clients and patients,
7:57 pm
but also for the stop. could you tell us about specific organizations that are targeting our health care industry, and hospitals? >> yes sir. if i understand your question correctly, which ransom or variant groups are targeting health care, is that accurate? >> yes, that is a question. >> this is a bit of a difficult question to ask, because these criminal groups really go after targets of opportunity where they can find vulnerabilities. so to mr. wills commentary, of course there is common vulnerabilities in the health care network that any number of the 101 ransomware groups that we track could target. i think it is important to recognize that it is really the calculus of work and the criminals find the best vulnerability, and the best access, and certainly that is prevalent and the health care industry. but it is also prevalent in many, many other critical
7:58 pm
infrastructure industries as well. >> specific to this industry, though, we have got laws, hipaa protecting both patients and doctors at the federal and state level, are things unique to this industry that we -- thought could be helpful, so that hospitals and health care organizations can provide you with the information, but not feel as if they are becoming susceptible to some other privacy issues, or litigation? >> i will start, sir. so within the fbi, we have a concerted effort to engage the health care industry. the focus of that engagement is sharing tactics, techniques, and procedures of these ransomware criminal groups. but also specific indicators that compromise that they can build into their not defense posture. we work very closely on these
7:59 pm
lines of effort with set on a very routine basis to make sure that we get to the hospital communities at large, regarding your questions about hipaa, where hipaa and other come into play's during an incident response framework. there is concern inadvertently p ii. and one of the biggest recommendations we could pass along is to have those organizations in this case, the hospital or healthcare industry work through in a moment of crisis. how would they be able to inform fbi or the other relevant federal government entities as quickly as possible by lowering the barriers on pii and hipaa. >> i really appreciate that i look forward to working with any of you and with the committee to make sure that we can protect this important part of our our culture of the health care system. thank you, madam. chair. >> thank you.
8:00 pm
the gentleman from texas mr sessions is recognize. >> thank you very much. and thank you to this hearing. i think it's well worth our time and important questions being asked. i want to ask the entire panel, but general, i'll probably focus on perhaps you first. i'd like to moved down the pathway that mr dawson was moving and that is what i would call lessons learned. can you tell me how many prosecutions federal prosecutions have occurred in the last five years on these issues of cybersecurity, sir? >> i don't have that information at my disposal at the moment. be happy to take that question for the record to defer to the assistant director. >> sir. i can't answer that question with great fidelity. i can certainly take it back and give you a very precise answer. but it's a threat that we've worked on continuously for five years and would have accurate data to support it. >> well, the reason why i asked the question is just like mr sonya said, we are interested in what are lessons that are learned from the investigations that you do and we're interested
8:01 pm
in knowing how best there was a question that was asked earlier about new laws, but i think we ought to know the effectiveness of what we're doing. we're spending a lot of time. a lot of resources, it's a national priority that we're engaged in. which one of you should i look for getting that answer from? i'd be happy to take the lead on >> -- >> i'd be happy to take the lead on that sir. >> thank you sir. we we will write you a letter to help you. being up here is a whole lot of fun but we'll follow up and write you a letter requesting that information will include the chairwoman in that request. so for any one of you uh there, you could probably dissect the marketplace problems into about 15 different areas. i put it, i'm going to put it simply today in one or two ways and that is malware which is, you know, this malicious use of the computers, the other might
8:02 pm
be computer induced where someone broke in necessarily maybe from an employee or found out about something but as it relates to a employer and related to how the employer has protected their own data and their employees. are you finding or what would the discussion be of company? what i would call a company induced breach? no, it's not related. something else. somebody was not doing the right thing. someone had a breach of their employee who gave this, how would you respond to that? let us know about the size or scope of that threat. >> so preliminary estimates or the best data we have that drives our estimates are that 90% of cyber breaches on user and user equipment or infrastructure for a company or induced by human error. but i think where we see an intersection is between what we would call an insider threat and
8:03 pm
the information and insider has access to that's trying to sell to a nation state or somebody trying to get economic gain and the overlap between that set of information, intellectual property, whatever have you and what hackers are also going after. and we see a core intersection between insider threat hacker breaches going after the same thing. we've seen it in covid research to advance defibrillators, aerospace engineering designs by subject to two for human penetrations corruption. inside as we've seen it across a gamut. so we do see a very, very keen intersection right there. >> so in other words, your investigators once they were able to effectively get their handle around the problem and look at how things happened, you're finding that employees and systems within companies many times as the large breach. so one of the questions i'd like to ask general is then, and then if you have this information about how many people then were
8:04 pm
prosecuted? what i would call on an internal basis by their company. one of the questions why we asked this and one of my colleagues previously ask is are there new laws? years ago we were really concerned with making sure that someone could report their information without being held liable necessarily, in those words, to share information about the things that were happening, which would help everybody. but in this case, if a major part of or as you allude to some part of the failure is with an employee. for us to know more about those employees. did they come from a certain pool, perhaps a school. mba program where they had been involved, perhaps an area of the country, perhaps on something, whatever your investigation might do, if you could give us
8:05 pm
any clue about, at least happy -- >> happy to take that question and provide a fulsome response. i would say that the 90% figure the assistant director cited is one that i cite as well. but the vast majority of those people don't intend to make those mistakes. they simply make them. they're not well equipped to make an appropriate choice at the moment. they might click on a link, thinking it's one thing it's provided by someone who's fishing them and so on and so forth. and so we can give you very great clarity about the percentage of things attributable to human being and those that were malicious in their intent. >> and i think that's important. i'm not an athlete. i'm a football player and i threw interceptions that didn't mean to, but i had to correct my behavior in some circumstances to understand what happened when i threw the pass. and i think it business understands more clearly, uh the huge part that their employees play. and and i know we talk about it
8:06 pm
in the private sector a lot and then the government a lot. but i think that focus off that activity would help me and i appreciate you being here each of you. this is a serious attempt. i will tell you it's just a byline. but in 1985 when i was in new jersey at what might be an old bell labs, i was on the original bell labs steen then invented -- team that invented what might be isdn or what became broadband. and we began gathering data and information that would be in a switch which would then gather data and information about how this data stream would be included in the bureau. my father was the director at the time and the bureau was very concerned about what was being built in as information that can be cleaned on both sides of that. not only from a perpetrator but also from my company to gather information about that.
8:07 pm
and i might ask not now, but i might ask at some point for you. assistant director about your viewpoint of gathering data and information. whether that has stayed up with time. that would aid and help. not just law enforcement but the managing companies and their effort. >> i'd be happy to have that conversation with you at any time. >> great. thank you very much. >> and we're moving on. the gentleman from georgia. >> thank you madam, chair for holding this very important committee meeting today and hearing on this very important subject. i introduced the cybersecurity opportunity act with senator also to fund a cybersecurity grant education program at historically black colleges and universities and minority serving institutions. this legislation would promote
8:08 pm
cybersecurity education and research to grants through hb cu's and msi's and help build a more diverse workplace. how valuable is it to bring diversity into the cybersecurity workforce? >> i think diversity is essential in the cybersecurity workforce. a diverse workforce springs every perspective, cognitive diversity as well as exponential diversity to the table in a way that that team is much harder to beat than any other team. and so i think it's very important for us to make investments of that sort. >> thank you mr wales. >> yes, i mean to echo director inglis. we often, you know, i think cybersecurity is often thought of as largely a technical problem. well, we've often said is that it's really a problem solving
8:09 pm
challenge and we need people who are effective at solving problems and the more people, the more diversity we have, looking at those problems, the better we're going to be uh at solving them and bringing to bear the right solutions to the to the significant risks and challenges that we face in this area. and so we are working hard. as i mentioned. this is one of the top priorities for director easterly at cisa is to expand our diversity, our work with h b c u s and and minority serving institutions and bringing in um reaching out to communities that have never been priorities for engagement in the cybersecurity sphere is among our highest priorities and and really happy to work with you on the legislation that you discussed. >> thank you sir. >> thanks for the question. i'm going to broaden your question just a bit and just say for the fbi and for director, a diversity across the entirety of the organization is a number one priority for all of us. certainly that cuts into cyber and the need to diversify. what director inglis and mr whale said diversity, gender, ethnicity. it just makes us better because
8:10 pm
it counts accounts for every different viewpoint that's represented in our society. >> thank you. according to an article published by the association of american medical colleges, about a third of healthcare organizations globally reported being hit by ransomware in 2020. while the inconveniences of cyber attacks such as the one on the colonial pipeline were felt in many homes. our family members and friends, lives are at risk when hospitals go offline with so much reliance on the internet in general. are hospitals generally prepared to meet the challenges to patient care that arise from ransomware attacks. >> thank you very much for the question congressman, i don't have the data at hand to indicate how many of those were successful. again, we know about 25% broadly of attacks that take place. we don't know about the other 75
8:11 pm
-- 75%. that being said, i think that every critical sector of the hospital is being kind of in the center of one very important critical sector i think can do a better job of improving resilience and robustness um kind of mounting a proactive defense and ultimately ensuring that they access all resources to include governmental resources, right to help in that defense or in the response as i think was indicated earlier, it often is a target rich environment, a resource poor environment. so we need to make sure that the hospitals have the necessary resources to make those investments and to properly defend those assets. >> thank you. in that same article, it was disclosed that rural hospitals are more vulnerable to cyber attacks than those located in urban or suburban areas. how is your office addressing the need for cybersecurity resources such as training and software in smaller rural hospitals. >> sir, if i might kind of defer that question to deputy director
8:12 pm
brandon wales, who addressed this earlier and i think quite thoughtfully so. >> is it is the real challenge to make sure that we get out to the organizations that are most urgent need of of of our support. i think we're trying to do this at a number of different levels. a lot of it starts at working at the at the state level with the state authorities that we can help bring down support that they may have into the local communities, identify those places that most need support um and be a conduit back. there are some states that have things called cyber navigators that our cybersecurity experts provided by the state to support local communities as they're building their cybersecurity posture. we've deployed cyber cyber security state coordinators from system to be a linkage back to the federal government, back to cisa and make sure that our products and services are being used in communities at the state and local level throughout throughout the country. um in addition to the most
8:13 pm
recent infrastructure bill included a cyber security grant program that could help many public hospitals throughout the country, particularly because it has certain provisions that require certain support to go out to rural communities as part of that grant program. so we think it could be an important stepping stone to begin to provide some of those resources that those communities need to begin to put in place the baseline cybersecurity that we would want for such a critical infrastructure to have. >> thank you. the gentleman from georgia. mr clyde is recognized. >> thank you madam chair. director inglis. it's a pleasure to see you again. and assistant director of wonderin and executive director wales. thank you for being here today to share your insights on the threats of ransomware um that it poses to our security. i would also like to wish cisa a happy third birthday.
8:14 pm
director i would offer you this , question and then i would like a follow-up. i believe that a country's defense is best summed up in its offense, in its offensive capabilities. so without a strong offense, i think our nation will lack the ability to deter and respond to attacks conducted by both state and non state actors. can you briefly highlight what capabilities are the government's disposal to properly respond and eliminate those threats? and if you believe that you cannot discuss those capabilities to the extent you'd like to in this hearing, would you be willing to come back and hold a classified hearing to help my colleagues and i better understand those capabilities? >> i would certainly be pleased to come back in a classified hearing. and describe these things more fulsomely, but i would say that in cyberspace as as much as cyberspace can impact any instrument of power. we should in return, be able to use any instrument of power to affect cyberspace. so our offense as it were, is
8:15 pm
not simply our ability to do things in and through cyberspace but to apply legal remedies, financial remedies, diplomatic remedies, private sector remedies. they have authorities on their own owned infrastructure to bring all that to bear in a concurrent fulsome way such that we impose costs on adversaries. that would be i think a proper and folsom offense again, offense must be an extension of the defense. the defense needs to be kind of equally important to us. >> thank you. could you comment on that too please? of course sir. >> you can take your question a little bit of a different direction but still get to the point. we talk offense i understand , what you're saying, but i think a lot of times in this discussion we missed sometimes how big of a role investigation plays in helping providing that defense, making sure that our victim entities in this country are in good shape. you know, for every one victim, there's usually a dozen or 100 more being affected by the same malware strain. in a recent critical infrastructure compromise, we're able to get agents out to the
8:16 pm
scene immediately and identify a zero day vulnerability. we immediately pivoted using our investigative tools. we found other zero days in critical infrastructure worked and were able to patch all those when the patch became available. those other critical infrastructure companies never would have known they were potentially vulnerable victims. in a situation with a hospital recently. were we able to get to a hospital within hours and share indicators of compromise that allowed them to eradicate a adversary from their network in real time. so i appreciate the question about offense. i would want to be part of that classified briefing with director english. but i think it's really important. there's a hybrid space in here between true defense and true offense that our field deployed forces filling extremely well on a day in and day out basis. >> well, thank you. i think that that cyber attacks are one of the most dangerous ones where outside entities can pierce our our defenses and
8:17 pm
affect our civilians, um, that don't have the offensive or the defensive capabilities. also, assistant director, in your testimony here you say that doj also has extensive experience in navigating complex privacy and civil liberty issues that will inevitably rise from new requirements and would prove to be invaluable in helping to set the standards that strike the right balance to ensure that incident report information is collected, stored and shared appropriately. what is not mentioned is ensuring civil liberties are protected. would you speak to the importance of protecting these civil liberties and the commitment of the fbi and the doj to do just that. >> sure, any new incident reporting legislation. the fbi and department of justice's position has always been the same. we want full and immediate access to any data that's reported to the u.s. government
8:18 pm
because we are a decentralized organiz organization and we can get people on site almost immediately. we are also very very attentive and understanding to civil liberties personally identifiable information and everything that's derivative of that. and we would be willing to work within any confines of a bipartisan bill to make sure that those elements are clearly protected to make sure everybody's in a good space. >> okay thank you. i appreciate that commitment and i've got just a few seconds left for director wales. director easterly recently had the opportunity to discuss how the federal government's hiring process has been, has hindered the ability to recruit the workforce. it needs to safeguard our nation's important entities. she highlighted how the federal government has 20 steps to hiring someone. and the process takes about 200 days. in comparison. the private sector's hiring process typically takes about 60 days. can you provide the committee with some recommendations on how
8:19 pm
we can streamline the hiring process so that cisa can better can be better staff so it can more effectively carry out its mission. >> sure. that's a great question. this is an area that is of intense focus for our entire agency right now. we have worked over the past year to reduce the time by about 15%. i think it went from about 240 down to 200 days on average to hire person. but that's still obviously uh too long. we're looking at an inn 10 review to understand. what do we have the ability internally to to change. how can we streamline it without any requirements for new legislation but we're happy to come back to you and talk about what we've identified and if there are additional tools that we need in order to streamline it further than we can do internally. >> thank you very much and i yield back madam chair. >> thank you, and i join you in your request for a classified briefing. democrats have also expressed concern and wanting to investigate this further. but before i close i want to offer mr grossman an opportunity to offer a closing statement.
8:20 pm
>> i'd like to thank you for having the hearing. i thought it was a good bipartisan hearing without the partisan rancor that you sometimes have. i'd like to thank our guests for being here. this is a very important topic and failure is really not an option. i mean there's some agencies out there, they can far from around our country will continue on but you guys cannot fail and i hope that you make um dealing with cybersecurity threats your number one priority. i think there were some indications from some of your comments that that might not be your number one authority number one goal but it's got to be your number one goal. i share in the request for a private meeting some time and again i thank the chairman for , keeping such a cordial hearing going one more time. thank you. >> thank you. the gentleman yields back. i'd like to thank first and foremost all of our witnesses
8:21 pm
for appearing today, including mr wales who appeared on very short notice. thank you. today's hearing advanced several important goals. the hearing highlighted key findings the committee released today from our investigation into major ransom payments made by u.s. companies to cybercriminals. the fbi confirmed today that these payments only fuel more criminal attacks. today's witnesses also agreed with the committee's findings that we need to do more to enhance coordination among federal agencies in responding to these attacks. mr inglis, whose role as national cyber director was championed by this committee will be crucial to that effort. his office finally received permanent funding yesterday when president biden signed the bipartisan infrastructure bill. and i'm looking forward to his continued leadership. today's hearing also demonstrated the significant
8:22 pm
strides that the biden harris administration has already taken to tackle ransomware head on including by helping the private sector to prevent attacks, prosecuting attackers and working with our allies to fight back against this global challenge. finally, today's witnesses made clear that the time for congress to act is now. we need to disrupt ransomware incentives and we need to require incident reporting so that the federal government has full visibility into every attack. i urge all my colleagues to support this critical bipartisan legislation. to all of the witnesses, i thank you for your service and i look forward to working with you to strengthen our nation's cyber defense. with that, i would like to just end by saying and in closing uh, that i want to commend all of my
8:23 pm
colleagues and the panelists for participating today in this important conversation. with that and without objection, , all members have five legislative days within which to submit extraneous materials and to submit additional written questions for the witnesses to the chair, which will be forwarded to the witnesses for their response. i ask our witnesses to please respond as promptly as you're able. this hearing is now adjourned. thank you. [captions copyright national cable satellite corp. 2021] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]
8:24 pm
8:25 pm
8:26 pm
8:27 pm
8:28 pm

10 Views

info Stream Only

Uploaded by TV Archive on